Zeno-sole/cve-patching

CVE Patching — Debian Package CVE Fix Workflow

You are a CVE vulnerability patching specialist. Follow this workflow to download, verify, apply, and test security patches for Debian packages.

When to Use

• A Debian package build fails due to CVE patch application errors
• Patches are missing from debian/patches/series or file
• Patches fail to apply with fuzz/malformed errors
• Patches have naming inconsistencies (e.g., 006 vs 0006)
• Patches reference code that differs from the target version

Common CVE Patching Issues

| Issue | Cause | Fix | |-------|-------|-----| | cannot read ... No such file or directory | Patch file missing or wrong name in series | Rename patch files to match series (check leading zeros) | | Reversed (or previously applied) patch detected | Fix already in base code | Remove patch from series, delete unused patch file | | the patch has fuzz which is not allowed | Code offset between versions | Adjust patch line numbers manually or use quilt refresh | | hunks FAILED | Significant code differences | Manually apply the fix or regenerate patch from current code |

Patch Filename Convention

Debian patches should use three leading zeros for consistency:

0001-configure-fix.patch
0002-cve-2025-12345.patch
0003-feature-add.patch

If you have 006-..., rename to 0006-... to match the series file.

Workflow

Step 1 — Diagnose the Build Failure

Examine the build error message to identify:

• Which patch number failed (e.g., 0006)
• What the error is (file missing, fuzz, reversed patch, etc.)
• The expected file name vs actual file name

Example errors:

dpkg-source: error: cannot read .../0006-avfilter-cve-2023-50009.patch: No such file or directory
dpkg-source: info: Reversed (or previously applied) patch detected
dpkg-source: info: Hunk #1 FAILED at line 855

Step 2 — Inspect Patch Files

List patches in debian/patches/:

ls -la debian/patches/

Check the series file content:

cat debian/patches/series

Look for naming mismatches between entries in series and actual files.

Step 3 — Fix Filename Mismatches

If series has 0006-... but file is 006-...:

cd debian/patches
mv 006-avfilter-cve-2023-00009.patch 0006-avfilter-cve-2023-00009.patch

Batch rename if needed:

for f in 00[0-9]-*.patch; do
  new=$(echo $f | sed 's/^00\(0\)/000\1/')
  mv "$f" "$new"
done

Step 4 — Check for Already Applied Fixes

If error shows "Reversed (or previously applied) patch detected", the fix is already in the base code.

Verify by checking the relevant source file:

grep -n "expected_fix_pattern" libavfilter/some_file.c

If the fix exists:

1. Remove the patch from debian/patches/series (delete that line)
2. Delete the unused patch file
3. Test build again

Step 5 — Download Missing Patches

If a patch is referenced but missing, download from upstream commit:

First, find the commit SHA from:

• CVE database / security advisory
• Debian security tracker
• Ubuntu security notices
• Upstream git log

Download patch using GitHub:

curl -s "https://github.com/ffmpeg/ffmpeg/commit/<commit-sha>.patch" -o debian/patches/XXXX-cve-name.patch

Or using git format-patch:

git format-patch -1 <commit-sha> --stdout > debian/patches/XXXX-cve-name.patch

Step 6 — Adjust Patch for Code Offsets

If a patch fails due to line offset (hunk #X FAILED):

1. View the patch:

cat debian/patches/XXXX-cve-name.patch

2. Find the line where the hunk begins (e.g., @@ -832,6 +832,7 @@)

3. View the actual source file around that line:

sed -n '820,860p' path/to/source/file.c

4. Manually apply the fix to the source file, OR
5. Update the patch to use correct line numbers

Step 7 — Validate Patches Apply Cleanly

Test patch application without making changes:

dpkg-source --before-build . 2>&1

Or test individual patch:

patch -p1 --dry-run < debian/patches/XXXX-cve-name.patch

If successful, you should see:

patching file libavfilter/some_file.c

If failed, re-examine the error and adjust.

Step 8 — Commit and Push Changes

Once all patches apply:

git add debian/patches/
git commit -m "fix(cve): update patch filenames and adjust for CVE-XXXX

- Fixed patch file naming (leading zeros)
- Removed CVE-XXXX patch (fix already in base code)
- Adjusted CVE-YYYY patch for code offset compatibility"

Push to your branch:

git push fork HEAD:<branch-name>

Template for FFmpeg CVE Patching

For FFmpeg specifically, patches can be downloaded from upstream commits:

# List of CVE commits (example format)
CVE_COMMITS=(
    "CVE-2023-50009:c443658d26d2b8e19901f9507a890e0efca79056:006:avfilter"
    "CVE-2023-49501:4adb93dff05dd947878c67784d98c9a4e13b57a7:007:avfilter"
    "CVE-2023-49528:2d9ed64859c9887d0504cd71dbd5b2c15e14251a:008:avfilter"
)

for ITEM in "${CVE_COMMITS[@]}"; do
    IFS=':' read -r CVE COMMIT NUM COMPONENT <<< "$ITEM"
    PATCH_FILE="debian/patches/${NUM}-${COMPONENT}-$(echo $CVE | tr '[:upper:]' '[:lower:]').patch"
    curl -s "https://github.com/ffmpeg/ffmpeg/commit/$COMMIT.patch" > "$PATCH_FILE"
done

Common Commands Reference

| Action | Command | |--------|---------| | List patches | ls debian/patches/ | | View series | cat debian/patches/series | | Test all patches | dpkg-source --before-build . | | Test single patch | patch -p1 --dry-run < patchfile | | Apply single patch | patch -p1 < patchfile | | Check git status | git status | | View patch content | cat debian/patches/XXXX.patch |

Tips

1. Always test patches before committing — use --dry-run or dpkg-source --before-build
2. Keep patches in order — series file order matters; dependencies must be applied first
3. Document removed patches — if removing a CVE patch because fix is already in base, note the version where it was fixed
4. Use quilt for interactive editing — quilt edit, quilt refresh for complex patch adjustments
5. Check for pristinetar issues — if error mentions orig tarball, ensure source is clean