Package: nx-libs
Recently a lot of CVE fixes have been added to nx-libs.
E.g. debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch and debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch add missing checks to nx-X11/programs/Xserver/render/render.c.
However, there's a file called nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from render.c and in that file those checks are missing, too.
(I suspect the original render/render.c is not used at all in favour of hw/nxagent/NXrender.c but I am not 100% sure here.)
If render.c is used a all (I am not sure) the patches should be extended to also fix NXrender.c. If render.c is not used it should be removed and the patches should be applied to NXrender.c instead.
There might be more cases like this, I only picked this one as an example.