Hi Vishwanath, Thank you for reporting the issue. The patch got applied incorrectly to debian/patches instead of debian/patches-applied dir. We will fix this issue and could track it if you can create an Launchpad bug for this here: https://bugs.launchpad.net/ubuntu/+source/pam/+filebug
Thanks Nishit On Wed, 01. Feb 13:53, Vishwanath Pai wrote: > I think I messed up my summary a bit: > On focal: dpkg-source applies the CVE fix from debian/patchs, but > dpkg-buildpackage removes > it before building the package. > > On bionic: dpkg-source does not apply the patches in debian/patch. > > So in both the cases it does not seem to apply the CVE fix. > > -Vishwanath > > On 2/1/2023 1:48 PM, Vishwanath Pai wrote: > > Hi All, > > > > In the latest update for pam, the patch was added to "debian/patches" vs > > "debian/patches-applied" > > where all the other patches for pam reside. Was this intentional? > > > > pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium > > > > * SECURITY UPDATE: authentication bypass vulnerability > > - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in > > access.conf > > - CVE-2022-28321 > > > > -- Nishit Majithia <nishit.majit...@canonical.com> Tue, 24 Jan 2023 > > 17:15:43 +0530 > > > > For our bionic builds it is picking up all patches from > > debian/patches-applied but not > > debian/patches. The build passes but the CVE fix is not applied. > > > > For our focal builds, it seems to only pickup debian/patches, so the CVE > > does get patched the rest > > of the patches in debian/patches-applied does not apply. We only noticed > > this because the build > > fails. > > > > On focal, dpkg-source seems to be applying the patch: > > > > $ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc > > gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST > > gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C > > gpgv: issuer "nishit.majit...@canonical.com" > > gpgv: Can't check signature: No public key > > dpkg-source: warning: failed to verify signature on > > ./pam_1.3.1-5ubuntu4.4.dsc > > dpkg-source: info: extracting pam in pam-1.3.1 > > dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz > > dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz > > dpkg-source: info: using patch list from debian/patches/series > > dpkg-source: info: applying CVE-2022-28321.patch > > > > But when I do "dpkg-buildpackage" it removes the CVE fix before building: > > > > $ dpkg-buildpackage > > dpkg-buildpackage: info: source package pam > > dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4 > > dpkg-buildpackage: info: source distribution focal-security > > dpkg-buildpackage: info: source changed by Nishit Majithia > > <nishit.majit...@canonical.com> > > dpkg-buildpackage: info: host architecture amd64 > > dpkg-source --before-build . > > fakeroot debian/rules clean > > dh clean --with quilt,autoreconf > > dh_quilt_unpatch > > Removing patch CVE-2022-28321.patch > > Restoring modules/pam_access/pam_access.c > > > > On bionic dpkg-source does not apply the CVE patch at all: > > > > $ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc > > > > gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC > > > > gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C > > > > gpgv: issuer "nishit.majit...@canonical.com" > > > > gpgv: Can't check signature: No public key > > > > dpkg-source: warning: failed to verify signature on > > ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc > > > > dpkg-source: info: extracting pam in pam-1.1.8 > > > > dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz > > > > > > I am not sure how the version in the repos got built, but its possible the > > CVE fix did not apply. > > > > Thanks, > > Vishwanath
signature.asc
Description: PGP signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss