Hi Nishit, Thanks for the quick fix. I took a look at the new bionic and focal sources, it looks good to me.
I do see that the debian/patches/series file is still present in both the sources (empty files), maybe best to remove it to avoid a similar issue in the future? Thanks, Vishwanath On 2/2/2023 7:39 AM, Nishit Majithia wrote: > Hi Vishwanath, > > We have updated the package with correct fix and uploaded > here: > https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=pam > > It would be great if you can test this updated package and > provide the feedback > > Thanks > Nishit > > On Thu, 02. Feb 12:33, Nishit Majithia wrote: >> Hi Vishwanath, >> >> Thank you for reporting the issue. The patch got applied >> incorrectly to debian/patches instead of >> debian/patches-applied dir. We will fix this issue and could >> track it if you can create an Launchpad bug for this here: >> https://bugs.launchpad.net/ubuntu/+source/pam/+filebug >> >> Thanks >> Nishit >> >> On Wed, 01. Feb 13:53, Vishwanath Pai wrote: >>> I think I messed up my summary a bit: >>> On focal: dpkg-source applies the CVE fix from debian/patchs, but >>> dpkg-buildpackage removes >>> it before building the package. >>> >>> On bionic: dpkg-source does not apply the patches in debian/patch. >>> >>> So in both the cases it does not seem to apply the CVE fix. >>> >>> -Vishwanath >>> >>> On 2/1/2023 1:48 PM, Vishwanath Pai wrote: >>>> Hi All, >>>> >>>> In the latest update for pam, the patch was added to "debian/patches" vs >>>> "debian/patches-applied" >>>> where all the other patches for pam reside. Was this intentional? >>>> >>>> pam (1.3.1-5ubuntu4.4) focal-security; urgency=medium >>>> >>>> * SECURITY UPDATE: authentication bypass vulnerability >>>> - debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in >>>> access.conf >>>> - CVE-2022-28321 >>>> >>>> -- Nishit Majithia <nishit.majit...@canonical.com> Tue, 24 Jan 2023 >>>> 17:15:43 +0530 >>>> >>>> For our bionic builds it is picking up all patches from >>>> debian/patches-applied but not >>>> debian/patches. The build passes but the CVE fix is not applied. >>>> >>>> For our focal builds, it seems to only pickup debian/patches, so the CVE >>>> does get patched the rest >>>> of the patches in debian/patches-applied does not apply. We only noticed >>>> this because the build >>>> fails. >>>> >>>> On focal, dpkg-source seems to be applying the patch: >>>> >>>> $ dpkg-source -x pam_1.3.1-5ubuntu4.4.dsc >>>> gpgv: Signature made Tue 24 Jan 2023 06:56:23 AM EST >>>> gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C >>>> gpgv: issuer "nishit.majit...@canonical.com" >>>> gpgv: Can't check signature: No public key >>>> dpkg-source: warning: failed to verify signature on >>>> ./pam_1.3.1-5ubuntu4.4.dsc >>>> dpkg-source: info: extracting pam in pam-1.3.1 >>>> dpkg-source: info: unpacking pam_1.3.1.orig.tar.xz >>>> dpkg-source: info: unpacking pam_1.3.1-5ubuntu4.4.debian.tar.xz >>>> dpkg-source: info: using patch list from debian/patches/series >>>> dpkg-source: info: applying CVE-2022-28321.patch >>>> >>>> But when I do "dpkg-buildpackage" it removes the CVE fix before building: >>>> >>>> $ dpkg-buildpackage >>>> dpkg-buildpackage: info: source package pam >>>> dpkg-buildpackage: info: source version 1.3.1-5ubuntu4.4 >>>> dpkg-buildpackage: info: source distribution focal-security >>>> dpkg-buildpackage: info: source changed by Nishit Majithia >>>> <nishit.majit...@canonical.com> >>>> dpkg-buildpackage: info: host architecture amd64 >>>> dpkg-source --before-build . >>>> fakeroot debian/rules clean >>>> dh clean --with quilt,autoreconf >>>> dh_quilt_unpatch >>>> Removing patch CVE-2022-28321.patch >>>> Restoring modules/pam_access/pam_access.c >>>> >>>> On bionic dpkg-source does not apply the CVE patch at all: >>>> >>>> $ dpkg-source -x pam_1.1.8-3.6ubuntu2.18.04.4.dsc >>>> >>>> gpgv: Signature made Tue Jan 24 12:36:38 2023 UTC >>>> >>>> gpgv: using RSA key B35EBCD35C6717BC0ADEB08AEC873ACED468723C >>>> >>>> gpgv: issuer "nishit.majit...@canonical.com" >>>> >>>> gpgv: Can't check signature: No public key >>>> >>>> dpkg-source: warning: failed to verify signature on >>>> ./pam_1.1.8-3.6ubuntu2.18.04.4.dsc >>>> >>>> dpkg-source: info: extracting pam in pam-1.1.8 >>>> >>>> dpkg-source: info: unpacking pam_1.1.8-3.6ubuntu2.18.04.4.tar.gz >>>> >>>> >>>> I am not sure how the version in the repos got built, but its possible the >>>> CVE fix did not apply. >>>> >>>> Thanks, >>>> Vishwanath >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
