PAM update (1.3.1-5ubuntu4.4) seems broken

Vishwanath Pai vpai at akamai.com
Wed Feb 1 18:48:35 UTC 2023 

Hi All,

In the latest update for pam, the patch was added to "debian/patches" vs "debian/patches-applied"
where all the other patches for pam reside. Was this intentional?

pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium

  * SECURITY UPDATE: authentication bypass vulnerability
    - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in
      access.conf
    - CVE-2022-28321

 -- Nishit Majithia <nishit.majithia at canonical.com>  Tue, 24 Jan 2023 17:15:43 +0530

For our bionic builds it is picking up all patches from debian/patches-applied but not
debian/patches. The build passes but the CVE fix is not applied.

For our focal builds, it seems to only pickup debian/patches, so the CVE does get patched the rest
of the patches in debian/patches-applied does not apply. We only noticed this because the build
fails.

On focal, dpkg-source seems to be applying the patch:

$ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc
gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST
gpgv:                using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C
gpgv:                issuer "nishit.majithia at canonical.com"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./pam_1.3.1-5ubuntu4.4.dsc
dpkg-source: info: extracting pam in pam-1.3.1
dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz
dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying CVE-2022-28321.patch

But when I do "dpkg-buildpackage" it removes the CVE fix before building:

$ dpkg-buildpackage                                       
dpkg-buildpackage: info: source package pam
dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4
dpkg-buildpackage: info: source distribution focal-security
dpkg-buildpackage: info: source changed by Nishit Majithia <nishit.majithia at canonical.com>
dpkg-buildpackage: info: host architecture amd64
 dpkg-source --before-build .
 fakeroot debian/rules clean
dh clean --with quilt,autoreconf
   dh_quilt_unpatch
Removing patch CVE-2022-28321.patch
Restoring modules/pam_access/pam_access.c

On bionic dpkg-source does not apply the CVE patch at all:

$ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc

gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC

gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C

gpgv: issuer "nishit.majithia at canonical.com"

gpgv: Can't check signature: No public key

dpkg-source: warning: failed to verify signature on ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc

dpkg-source: info: extracting pam in pam-1.1.8

dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz


I am not sure how the version in the repos got built, but its possible the CVE fix did not apply.

Thanks,
Vishwanath

More information about the Ubuntu-devel-discuss mailing list