Ubuntu
dovecot package

Merge ~ericeberry/ubuntu/+source/dovecot:ubuntu/jammy-devel into ubuntu/+source/dovecot:ubuntu/jammy-devel

  1. Git
  2. lp:~ericeberry/ubuntu/+source/dovecot
  3. ubuntu/jammy-devel
  4. Merge into ubuntu/jammy-devel
Proposed by Eric Berry
Status: Needs review
Proposed branch: ~ericeberry/ubuntu/+source/dovecot:ubuntu/jammy-devel
Merge into: ubuntu/+source/dovecot:ubuntu/jammy-devel
Diff against target: 201 lines (+134/-39)
4 files modified
debian/changelog (+8/-0)
debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch (+125/-0)
debian/patches/series (+1/-1)
dev/null (+0/-38)
Reviewer Review Type Date Requested Status
Vladimir Petko (community) Approve
Nick Rosbrook Pending
Review via email: mp+493829@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Vladimir Petko (vpa1977) wrote :

Please see https://code.launchpad.net/~ericeberry/ubuntu/+source/dovecot/+git/dovecot/+merge/486602/comments/1345867

review: Needs Fixing
Reply
~ericeberry/ubuntu/+source/dovecot:ubuntu/jammy-devel updated
7c76dc6... by Eric Berry

Fix fips-pbkdf2-fix-invalid-salt-length.patch header

Revision history for this message
Eric Berry (ericeberry) wrote :

> Please see https://code.launchpad.net/~ericeberry/ubuntu/+source/dovecot/+git/
> dovecot/+merge/486602/comments/1345867

> Hi,
>
> it looks this the patch is incomplete, the upstream patch also updates salt
> length in `dcrypt_openssl_encrypt_private_key_dovecot` [1].
>
> Some nits:
> - it may be easier for reviewers if you provide a separate patch per upstream
> commit.
> - Description: field should contain a short description, commit message is a
> good canidate: lib-dcrypt: Increase salt to 16 bytes for dovecot v2 keys
> - The long description can expand on that
> - If we adapt upstream patch, we should use backport, url
>
>
>
> [1] https://github.com/dovecot/core/commit/dab49bf12228f382f646329974350cf829f
> cdfcb.diff
> [2] https://dep-team.pages.debian.net/deps/dep3/

There are two versions of the dcrypt-openssl.c file. One version for OpenSSL 1.x and one version for OpenSSL 3.x. The file is renamed to decrypt-openssl.c based on which version of OpenSSL is being used. In our case the decrypt-openssl3.c file is renamed to decrypt-openssl.c and that is the file that is patched.

Your requested changes to the the dep3 header have been incorporated.

Is there any way to speed this process up? This patch has been lingering since May. Getting one line feedback from the ubuntu-sponsors team every two months is not helpful or productive.

Reply
Revision history for this message
Vladimir Petko (vpa1977) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6.dsc: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6.debian.tar.xz: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6_source.buildinfo: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6_source.changes: done.
Successfully uploaded packages

review: Approve
Reply
~ericeberry/ubuntu/+source/dovecot:ubuntu/jammy-devel updated
29498eb... by Eric Berry

Remove failed fix-leaking-virtual-mailbox.patch

Revision history for this message
Vladimir Petko (vpa1977) wrote :

We probably still want to keep 2.5 version's original changelog rather than rewrite it.

review: Needs Fixing
Reply
Revision history for this message
Vladimir Petko (vpa1977) wrote :

The only downside is that having # in 2.5 will close the bug, so we might want to remove that from the chaneglog. Nick?

Reply
Revision history for this message
Nick Rosbrook (enr0n) wrote :

No, please do not edit the previous entry. It's imperfect, but I would rather preserve the rule of only moving forward with the changelog.

We will make it clear in the existing bug that the status is *not* Fix Released.

Reply
Revision history for this message
Nick Rosbrook (enr0n) wrote (last edit ):

(Also, I am pretty sure that removing it from the changelog would not even prevent Launchpad from noticing the Launchpad-Bugs-Fixed from 1:2.3.21+dfsg1-2ubuntu6.1).

Reply
Revision history for this message
Vladimir Petko (vpa1977) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6.dsc: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6.debian.tar.xz: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6_source.buildinfo: done.
  Uploading dovecot_2.3.16+dfsg1-3ubuntu2.6_source.changes: done.
Successfully uploaded packages.

I have fixed too long changelog line on upload.

Approved provided the state of 1992848 will be updated to New/In Progress

review: Approve
Reply

Unmerged commits

29498eb... by Eric Berry

Remove failed fix-leaking-virtual-mailbox.patch

7c76dc6... by Eric Berry

Fix fips-pbkdf2-fix-invalid-salt-length.patch header

2f16b8a... by Eric Berry

Update PBKDF2 salt length to be FIPS 140-3 compliant

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e1b3f1a..d2b4c09 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+dovecot (1:2.3.16+dfsg1-3ubuntu2.6) jammy; urgency=medium
7+
8+ * Update PBKDF2 salt length to be FIPS 140-3 compliant (LP: #2107773).
9+ - d/p/fips-pbkdf2-fix-invalid-salt-length.patch
10+ - d/p/fix-leaking-virtual-mailbox.patch: removed patch, failed validation (LP: 1992848)
11+
12+ -- Eric Berry <eric.berry@canonical.com> Thu, 06 Nov 2025 12:28:40 +0100
13+
14 dovecot (1:2.3.16+dfsg1-3ubuntu2.5) jammy; urgency=medium
15
16 * Re-introduce fix from 1:2.3.16+dfsg1-3ubuntu2.3:
17diff --git a/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch b/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch
18new file mode 100644
19index 0000000..c13fc56
20--- /dev/null
21+++ b/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch
22@@ -0,0 +1,125 @@
23+Description: lib-dcrypt: Increase salt to 16 bytes for dovecot v2 keys
24+ When one enables FIPS mode on a Jammy system and then
25+ attempts to use Dovecot to create an encrypted mailbox, the module
26+ returns a invalid salt length error. FIPS mode requires a 16 byte
27+ salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt.
28+ The solution is to modify Dovecot to request 16 bytes of salt.
29+Author: Aki Tuomi <aki.tuomi@open-xchange.com>
30+Origin: backport, https://github.com/dovecot/core/compare/5ebc1e3e56024ea2a0925de99edd7fb1e7b652a7%5E...dab49bf12228f382f646329974350cf829fcdfcb
31+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773
32+
33+--- a/src/lib-dcrypt/dcrypt-openssl.c
34++++ b/src/lib-dcrypt/dcrypt-openssl.c
35+@@ -2184,7 +2184,7 @@
36+ bool res;
37+ unsigned char *ptr;
38+
39+- unsigned char salt[8];
40++ unsigned char salt[DCRYPT_DOVECOT_SALT_LEN];
41+ buffer_t *peer_key = t_buffer_create(128);
42+ buffer_t *secret = t_buffer_create(128);
43+ cipher = t_str_lcase(cipher);
44+--- a/src/lib-dcrypt/dcrypt-private.h
45++++ b/src/lib-dcrypt/dcrypt-private.h
46+@@ -8,6 +8,9 @@
47+ #define DCRYPT_DOVECOT_KEY_ENCRYPT_PK 1
48+ #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2
49+
50++/* Fips requires 16 byte salt */
51++#define DCRYPT_DOVECOT_SALT_LEN 16
52++
53+ struct dcrypt_vfs {
54+ bool (*initialize)(const struct dcrypt_settings *set,
55+ const char **error_r);
56+--- a/src/lib-dcrypt/test-crypto.c
57++++ b/src/lib-dcrypt/test-crypto.c
58+@@ -475,7 +475,13 @@
59+ "7d945aa6492275a02881071eceec5749caf2485da8c64fb601"
60+ "229098:ab13d251976dedab546b67354e7678821740dd534b7"
61+ "49c2857f66bf62bbaddfd:ab13d251976dedab546b67354e76"
62+- "78821740dd534b749c2857f66bf62bbaddfd"
63++ "78821740dd534b749c2857f66bf62bbaddfd",
64++ "2:1.3.132.0.35:2:aes-256-ctr:cf9951243f5e609a5e20d"
65++ "353e4011f62:sha256:2048:0c056337f221f5fd287eb3ef48"
66++ "86e596ef3b92e7d33c01a79579b35c8595f8e13cf4bccdb7f5"
67++ "409b095be5179bd94668ad88050ff828617ef3415b9e167d22"
68++ "e7fd95a3f80b3b:15286fe2a53773c64efa2b8fa79d4cd5b46"
69++ "3d422d30bf9103ca97999636e864f",
70+ };
71+
72+ test_begin("test_load_v2_key");
73+@@ -519,6 +525,26 @@
74+ dcrypt_key_unref_private(&priv);
75+ dcrypt_key_unref_public(&pub);
76+
77++ /* Matches the encrypted private key in index 4 */
78++ static const char *pem_key_4 =
79++"-----BEGIN PRIVATE KEY-----\n"
80++"MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBoC5EFaNm/mWOH9Dp\n"
81++"juTNIuRRyKVEFZ0o1R9gPbeza2VvvKYZaIPck2HWEmJGoHOwo+Kc/Fq0Z7ka3Irg\n"
82++"o9CfYlihgYkDgYYABAFNIIDZZR3AYzhDsWvG9t3vznEsAtEZ9jjnhs4foSyfkKsq\n"
83++"Cj7+CY4JZVhHfjpWpPQ4XFRqZzdyCVCyTegVxONCpgEITkmjCd9z4gndS5+zysw9\n"
84++"mG6LOGyxnLz7ZbRqdZ1pqh9+pMk47luCfhGa8RRKjXeJXrU4uE9Uu++fA7zfP95o\n"
85++"Ew==\n"
86++"-----END PRIVATE KEY-----\n";
87++
88++ test_assert_idx(dcrypt_key_load_private(&priv,
89++ keys[4], "password", NULL, &error), 4);
90++ test_assert_idx(dcrypt_key_store_private(priv,
91++ DCRYPT_FORMAT_PEM, NULL, tmp,
92++ NULL, NULL, &error), 4);
93++ test_assert_strcmp_idx(str_c(tmp), pem_key_4, 4);
94++ buffer_set_used_size(tmp, 0);
95++ dcrypt_key_unref_private(&priv);
96++
97+ buffer_free(&tmp);
98+
99+ if (error != NULL) error = NULL;
100+@@ -532,24 +558,35 @@
101+ const char *error;
102+
103+ test_begin("test_load_v2_public_key");
104+- const char *key =
105++ const char *keys[] = {
106+ "2:3058301006072a8648ce3d020106052b810400230344000"
107+ "301c50954e734dd8b410a607764a7057065a45510da52f2c6"
108+ "e28e0cb353b9c389fa8cb786943ae991fce9befed78fb162f"
109+ "bbc615415f06af06c8cc80c37f4e94ff6c7:185a721254278"
110+ "2e239111f9c19d126ad55b18ddaf4883d66afe8d9627c3607"
111+- "d8";
112+-
113+- test_assert(dcrypt_key_load_public(&pub, key, &error));
114+-
115+- buffer_t *tmp = buffer_create_dynamic(default_pool, 256);
116++ "d8",
117++ "2:3058301006072a8648ce3d020106052b810400230344000"
118++ "301897d80b69ed3eccda4c5a5edc67e9a11ef76c4894710af"
119++ "b3deb52e5d996f23b6252d93ab349d1931a234eda9ff7cc40"
120++ "095b2b084b86e066839c7de8a08bf5bf46b:0a955323b7c00"
121++ "ef44581122c510cbfacfc503aea291b3a3fa2a811356df5be"
122++ "cd",
123++ };
124+
125+- if (pub != NULL) {
126+- test_assert(dcrypt_key_store_public(pub,
127+- DCRYPT_FORMAT_DOVECOT, tmp, &error));
128+- test_assert(strcmp(key, str_c(tmp))==0);
129+- buffer_free(&tmp);
130+- dcrypt_key_unref_public(&pub);
131++ for (size_t i = 0; i < N_ELEMENTS(keys); i++) {
132++ const char *key = keys[i];
133++ test_assert_idx(dcrypt_key_load_public(&pub, key, &error), i);
134++ test_assert_idx(pub != NULL, i);
135++
136++ buffer_t *tmp = buffer_create_dynamic(default_pool, 256);
137++
138++ if (pub != NULL) {
139++ test_assert_idx(dcrypt_key_store_public(pub,
140++ DCRYPT_FORMAT_DOVECOT, tmp, &error), i);
141++ test_assert_strcmp_idx(key, str_c(tmp), i);
142++ buffer_free(&tmp);
143++ dcrypt_key_unref_public(&pub);
144++ }
145+ }
146+
147+ test_end();
148diff --git a/debian/patches/fix-leaking-virtual-mailbox.patch b/debian/patches/fix-leaking-virtual-mailbox.patch
149deleted file mode 100644
150index 01cf4d4..0000000
151--- a/debian/patches/fix-leaking-virtual-mailbox.patch
152+++ /dev/null
153@@ -1,38 +0,0 @@
154-From bdf4474ed82aaf964e7d94e72ca56b496e3815f9 Mon Sep 17 00:00:00 2001
155-From: Timo Sirainen <timo.sirainen@open-xchange.com>
156-Date: Fri, 1 Oct 2021 15:08:45 +0300
157-Subject: [PATCH] virtual: Fix leaking mailboxes if virtual mailbox can't
158- be opened
159-
160-Fixes also a crash at deinit:
161-Panic: file mail-user.c: line 232 (mail_user_deinit): assertion failed: ((*user)->refcount == 1)
162-
163-Description: Fix the dovecot package to prevent from leaking mailboxes
164- if virtual mailbox cannot be opened.
165-Origin: upstream, https://github.com/dovecot/core/commit/bdf4474ed82aaf964e7d94e72ca56b496e3815f9
166-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1992848
167-Reviewed-By: Bryce Harrington <bryce@canonical.com>
168-Last-Update: 2022-10-20
169----
170- src/plugins/virtual/virtual-storage.c | 4 ++--
171- 1 file changed, 2 insertions(+), 2 deletions(-)
172-
173-diff --git a/src/plugins/virtual/virtual-storage.c b/src/plugins/virtual/virtual-storage.c
174-index 2f31503d53..a0779cc186 100644
175---- a/src/plugins/virtual/virtual-storage.c
176-+++ b/src/plugins/virtual/virtual-storage.c
177-@@ -495,12 +495,12 @@ static int virtual_mailbox_open(struct mailbox *box)
178- ret = virtual_mailboxes_open(mbox, box->flags);
179- array_pop_back(&mbox->storage->open_stack);
180- }
181-+ if (ret == 0)
182-+ ret = index_storage_mailbox_open(box, FALSE);
183- if (ret < 0) {
184- virtual_mailbox_close_internal(mbox);
185- return -1;
186- }
187-- if (index_storage_mailbox_open(box, FALSE) < 0)
188-- return -1;
189-
190- mbox->virtual_ext_id =
191- mail_index_ext_register(mbox->box.index, "virtual", 0,
192diff --git a/debian/patches/series b/debian/patches/series
193index d761a23..a1e48c3 100644
194--- a/debian/patches/series
195+++ b/debian/patches/series
196@@ -35,4 +35,4 @@ CVE-2024-23184-5.patch
197 CVE-2024-23184-6.patch
198 CVE-2024-23185-1.patch
199 CVE-2024-23185-2.patch
200-fix-leaking-virtual-mailbox.patch
201+fips-pbkdf2-fix-invalid-salt-length.patch

Subscribers

People subscribed via source and target branches