PAM update (1.3.1-5ubuntu4.4) seems broken
Nishit Majithia
nishit.majithia at canonical.com
Thu Feb 2 07:03:13 UTC 2023
Hi Vishwanath,
Thank you for reporting the issue. The patch got applied
incorrectly to debian/patches instead of
debian/patches-applied dir. We will fix this issue and could
track it if you can create an Launchpad bug for this here: https://bugs.launchpad.net/ubuntu/+source/pam/+filebug
Thanks
Nishit
On Wed, 01. Feb 13:53, Vishwanath Pai wrote:
> I think I messed up my summary a bit:
> On focal: dpkg-source applies the CVE fix from debian/patchs, but dpkg-buildpackage removes
> it before building the package.
>
> On bionic: dpkg-source does not apply the patches in debian/patch.
>
> So in both the cases it does not seem to apply the CVE fix.
>
> -Vishwanath
>
> On 2/1/2023 1:48 PM, Vishwanath Pai wrote:
> > Hi All,
> >
> > In the latest update for pam, the patch was added to "debian/patches" vs "debian/patches-applied"
> > where all the other patches for pam reside. Was this intentional?
> >
> > pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium
> >
> > * SECURITY UPDATE: authentication bypass vulnerability
> > - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in
> > access.conf
> > - CVE-2022-28321
> >
> > -- Nishit Majithia <nishit.majithia at canonical.com> Tue, 24 Jan 2023 17:15:43 +0530
> >
> > For our bionic builds it is picking up all patches from debian/patches-applied but not
> > debian/patches. The build passes but the CVE fix is not applied.
> >
> > For our focal builds, it seems to only pickup debian/patches, so the CVE does get patched the rest
> > of the patches in debian/patches-applied does not apply. We only noticed this because the build
> > fails.
> >
> > On focal, dpkg-source seems to be applying the patch:
> >
> > $ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc
> > gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST
> > gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C
> > gpgv: issuer "nishit.majithia at canonical.com"
> > gpgv: Can't check signature: No public key
> > dpkg-source: warning: failed to verify signature on ./pam_1.3.1-5ubuntu4.4.dsc
> > dpkg-source: info: extracting pam in pam-1.3.1
> > dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz
> > dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz
> > dpkg-source: info: using patch list from debian/patches/series
> > dpkg-source: info: applying CVE-2022-28321.patch
> >
> > But when I do "dpkg-buildpackage" it removes the CVE fix before building:
> >
> > $ dpkg-buildpackage
> > dpkg-buildpackage: info: source package pam
> > dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4
> > dpkg-buildpackage: info: source distribution focal-security
> > dpkg-buildpackage: info: source changed by Nishit Majithia <nishit.majithia at canonical.com>
> > dpkg-buildpackage: info: host architecture amd64
> > dpkg-source --before-build .
> > fakeroot debian/rules clean
> > dh clean --with quilt,autoreconf
> > dh_quilt_unpatch
> > Removing patch CVE-2022-28321.patch
> > Restoring modules/pam_access/pam_access.c
> >
> > On bionic dpkg-source does not apply the CVE patch at all:
> >
> > $ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc
> >
> > gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC
> >
> > gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C
> >
> > gpgv: issuer "nishit.majithia at canonical.com"
> >
> > gpgv: Can't check signature: No public key
> >
> > dpkg-source: warning: failed to verify signature on ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc
> >
> > dpkg-source: info: extracting pam in pam-1.1.8
> >
> > dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz
> >
> >
> > I am not sure how the version in the repos got built, but its possible the CVE fix did not apply.
> >
> > Thanks,
> > Vishwanath
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230202/777b03bb/attachment-0001.sig>
More information about the Ubuntu-devel-discuss
mailing list