Ubuntu
dovecot package

dovecot: Fail to build against OpenSSL 3.0

Bug #1945763 reported by Simon Chopin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Fix Released
High
Bryce Harrington

Bug Description

Hello,

As part of a rebuild against OpenSSL3, this package failed to build on one or
several architectures. You can find the details of the rebuild at

https://people.canonical.com/~schopin/rebuilds/openssl-3.0.0-impish.html

or for the amd64 failed build, directly at

https://launchpadlibrarian.net/559465143/buildlog_ubuntu-impish-amd64.dovecot_1%3A2.3.13+dfsg1-1ubuntu3.0~ssl3ppa1.1_BUILDING.txt.gz

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

I was unable to find any mention of this issue upstream.

Looking into the issue, the failing test 'test_password_change'
starts behaving differently at the dcrypt_key_store_private, as
for the same private key data (obtained by changing the OpenSSL PRNG
for a bogus, deterministic generator) the public key ID is different
in OpenSSL 1.1 and OpenSSL 3. I didn't go much further in my investigation.

(upstream main branch also fails)

Related branches

~bryce/ubuntu/+source/dovecot:merge-v1e2.3.16adfsg1-3-jammy
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
git-ubuntu import: Pending requested
Diff: 183 lines (+119/-5)
5 files modified
debian/changelog (+63/-0)
debian/control (+2/-1)
debian/patches/OpenSSL3.patch (+46/-0)
debian/patches/series (+3/-0)
debian/rules (+5/-4)

CVE References

Revision history for this message
Simon Chopin (schopin) wrote :

The bug was encountered over at RedHat and someone apparently came up with a workaround : https://bugzilla.redhat.com/show_bug.cgi?id=1962035

Utkarsh Gupta (utkarsh)
Changed in dovecot (Ubuntu):
status: New → Triaged
importance: Undecided → High
Christian Ehrhardt  (paelzer)
Changed in dovecot (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
tags: added: server-next
Revision history for this message
Simon Chopin (schopin) wrote :

Attached is a debdiff fixing this particular problem, using the linked patch from the RH bug tracker.

I've uploaded the package to both
https://launchpad.net/~schopin/+archive/ubuntu/test-ppa (built against OpenSSL 1.1.1)
and
https://launchpad.net/~schopin/+archive/ubuntu/foundation-openssl3 (built against OpenSSL 3.0.0)
to check its viability.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks Simon! I'm preparing the dovecot merge and am including your change as part of that.
In running autopkgtest locally I spotted issues I want to chase down before uploading.

Revision history for this message
Bryce Harrington (bryce) wrote :

Uploaded, pending transition.

Changed in dovecot (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dovecot - 1:2.3.16+dfsg1-3ubuntu1

---------------
dovecot (1:2.3.16+dfsg1-3ubuntu1) jammy; urgency=medium

  [ Bryce Harrington ]
  * Merge with Debian unstable. (LP: #1946855)
    Remaining changes:
    - Package references hidden symbols during an LTO link. This needs further
      investigation. Until then, disable LTO.
  * Dropped:
    - SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
      + debian/patches/CVE-2021-29157.patch: improve escaping in
        src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
        src/lib-oauth2/test-oauth2-jwt.c.
      [Included in Debian 1:2.3.13+dfsg1-2]
    - SECURITY UPDATE: plaintext command injection before STARTTLS
      + debian/patches/CVE-2021-33515.patch: properly handle command queue in
        src/lib-smtp/smtp-server-cmd-starttls.c,
        src/lib-smtp/smtp-server-connection.c.
      [Included in Debian 1:2.3.13+dfsg1-2]
  * d/rules: Disable Debian's recent enablement of LTO as well, as it
    FTBFS when building with gcc 11.
    (LP: #1951325)

  [ Simon Chopin ]
  * d/p/OpenSSL3.patch: Workaround to fix EC key handling when building
    with OpenSSL 3.0.
    (LP: #1945763)

 -- Bryce Harrington <email address hidden> Wed, 17 Nov 2021 13:46:08 -0800

Changed in dovecot (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.