<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font size="2"><font face="Consolas">Hi Nishit,<br>
        <br>
        Thanks for the quick fix. I took a look at the new bionic and
        focal sources, it looks good to me.<br>
        <br>
        I do see that the debian/patches/series file is still present in
        both the<br>
        sources (empty files), maybe best to remove it to avoid a
        similar issue in the future?<br>
        <br>
        Thanks,<br>
        Vishwanath<br>
      </font></font><br>
    <div class="moz-cite-prefix">On 2/2/2023 7:39 AM, Nishit Majithia
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:20230202123936.her2otswvvadb52l@machine">
      <pre class="moz-quote-pre" wrap="">Hi Vishwanath,

We have updated the package with correct fix and uploaded
here: <a class="moz-txt-link-freetext" href="https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=pam">https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=pam</a>

It would be great if you can test this updated package and
provide the feedback

Thanks
Nishit

On Thu, 02. Feb 12:33, Nishit Majithia wrote:
</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">Hi Vishwanath,

Thank you for reporting the issue. The patch got applied
incorrectly to debian/patches instead of
debian/patches-applied dir. We will fix this issue and could
track it if you can create an Launchpad bug for this here: <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/pam/+filebug">https://bugs.launchpad.net/ubuntu/+source/pam/+filebug</a>

Thanks
Nishit

On Wed, 01. Feb 13:53, Vishwanath Pai wrote:
</pre>
        <blockquote type="cite">
          <pre class="moz-quote-pre" wrap="">I think I messed up my summary a bit:
On focal: dpkg-source applies the CVE fix from debian/patchs, but dpkg-buildpackage removes
it before building the package.

On bionic: dpkg-source does not apply the patches in debian/patch.

So in both the cases it does not seem to apply the CVE fix.

-Vishwanath

On 2/1/2023 1:48 PM, Vishwanath Pai wrote:
</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">Hi All,

In the latest update for pam, the patch was added to "debian/patches" vs "debian/patches-applied"
where all the other patches for pam reside. Was this intentional?

pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium

  * SECURITY UPDATE: authentication bypass vulnerability
    - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in
      access.conf
    - CVE-2022-28321

 -- Nishit Majithia <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com"><nishit.majithia@canonical.com></a>  Tue, 24 Jan 2023 17:15:43 +0530

For our bionic builds it is picking up all patches from debian/patches-applied but not
debian/patches. The build passes but the CVE fix is not applied.

For our focal builds, it seems to only pickup debian/patches, so the CVE does get patched the rest
of the patches in debian/patches-applied does not apply. We only noticed this because the build
fails.

On focal, dpkg-source seems to be applying the patch:

$ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc
gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST
gpgv:                using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C
gpgv:                issuer <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com">"nishit.majithia@canonical.com"</a>
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./pam_1.3.1-5ubuntu4.4.dsc
dpkg-source: info: extracting pam in pam-1.3.1
dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz
dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying CVE-2022-28321.patch

But when I do "dpkg-buildpackage" it removes the CVE fix before building:

$ dpkg-buildpackage                                       
dpkg-buildpackage: info: source package pam
dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4
dpkg-buildpackage: info: source distribution focal-security
dpkg-buildpackage: info: source changed by Nishit Majithia <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com"><nishit.majithia@canonical.com></a>
dpkg-buildpackage: info: host architecture amd64
 dpkg-source --before-build .
 fakeroot debian/rules clean
dh clean --with quilt,autoreconf
   dh_quilt_unpatch
Removing patch CVE-2022-28321.patch
Restoring modules/pam_access/pam_access.c

On bionic dpkg-source does not apply the CVE patch at all:

$ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc

gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC

gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C

gpgv: issuer <a class="moz-txt-link-rfc2396E" href="mailto:nishit.majithia@canonical.com">"nishit.majithia@canonical.com"</a>

gpgv: Can't check signature: No public key

dpkg-source: warning: failed to verify signature on ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc

dpkg-source: info: extracting pam in pam-1.1.8

dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz


I am not sure how the version in the repos got built, but its possible the CVE fix did not apply.

Thanks,
Vishwanath
</pre>
          </blockquote>
        </blockquote>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">

</pre>
    </blockquote>
    <br>
  </body>
</html>