<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> I think I messed up my summary a bit: On focal: dpkg-source applies the CVE fix from debian/patchs, but dpkg-buildpackage removes it before building the package. On bionic: dpkg-source does not apply the patches in debian/patch. So in both the cases it does not seem to apply the CVE fix. -Vishwanath <div class="moz-cite-prefix">On 2/1/2023 1:48 PM, Vishwanath Pai wrote: </div> <blockquote type="cite" cite="mid:28884533-a27d-0411-2678-3780f1380756@akamai.com"> <pre class="moz-quote-pre" wrap="">Hi All, In the latest update for pam, the patch was added to "debian/patches" vs "debian/patches-applied" where all the other patches for pam reside. Was this intentional? pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium * SECURITY UPDATE: authentication bypass vulnerability - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in access.conf - CVE-2022-28321 -- Nishit Majithia <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com"><nishit.majithia@canonical.com></a> Tue, 24 Jan 2023 17:15:43 +0530 For our bionic builds it is picking up all patches from debian/patches-applied but not debian/patches. The build passes but the CVE fix is not applied. For our focal builds, it seems to only pickup debian/patches, so the CVE does get patched the rest of the patches in debian/patches-applied does not apply. We only noticed this because the build fails. On focal, dpkg-source seems to be applying the patch: $ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C gpgv: issuer <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com">"nishit.majithia@canonical.com"</a> gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./pam_1.3.1-5ubuntu4.4.dsc dpkg-source: info: extracting pam in pam-1.3.1 dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz dpkg-source: info: using patch list from debian/patches/series dpkg-source: info: applying CVE-2022-28321.patch But when I do "dpkg-buildpackage" it removes the CVE fix before building: $ dpkg-buildpackage dpkg-buildpackage: info: source package pam dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4 dpkg-buildpackage: info: source distribution focal-security dpkg-buildpackage: info: source changed by Nishit Majithia <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com"><nishit.majithia@canonical.com></a> dpkg-buildpackage: info: host architecture amd64 dpkg-source --before-build . fakeroot debian/rules clean dh clean --with quilt,autoreconf dh_quilt_unpatch Removing patch CVE-2022-28321.patch Restoring modules/pam_access/pam_access.c On bionic dpkg-source does not apply the CVE patch at all: $ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C gpgv: issuer <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com">"nishit.majithia@canonical.com"</a> gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc dpkg-source: info: extracting pam in pam-1.1.8 dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz I am not sure how the version in the repos got built, but its possible the CVE fix did not apply. Thanks, Vishwanath </pre> </blockquote> </body> </html>