On Mon, 25 Jan 2016 15:37:29 +1100 Stuart Prescott <stu...@debian.org> wrote: > The update for pam in Jessie (1.1.8-3.1+deb8u1) introduces differences in > files in a Multi-Arch: same package. The man pages pam_exec.8.gz and > pam_unix.8.gz contain different information.
I've downloaded the debs directly from a nearby mirror for amd64 and i386 to compare myself and I can confirm the discrepancy between the man page content, although even after doing more research I cannot explain it. The buildd log for i386[1] does include the patch for CVE-2015-3238: (which clearly patches the pam_exec.8 source file) | Applying patch cve-2015-3238.patch | patching file modules/pam_exec/pam_exec.8.xml | patching file modules/pam_exec/pam_exec.c | patching file modules/pam_unix/pam_unix.8.xml | patching file modules/pam_unix/pam_unix_passwd.c | Hunk #1 succeeded at 245 (offset 5 lines). | patching file modules/pam_unix/passverify.c | Hunk #1 succeeded at 1086 (offset -29 lines). | patching file modules/pam_unix/passverify.h | patching file modules/pam_unix/support.c | Hunk #1 succeeded at 632 (offset 23 lines). [1]: https://buildd.debian.org/status/fetch.php?pkg=pam&arch=i386&ver=1.1.8-3.1%2Bdeb8u1&stamp=1452378974 Even the debdiff was relatively small: https://release.debian.org/proposed-updates/stable_diffs/pam_1.1.8-3.1+deb8u1.debdiff (and definitely includes the changes that the amd64 package includes which i386 appears to be missing). I'm attempting a build for i386 locally right now, but I'm not sure where to turn next after that to debug this mismatch further. ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
