Dovecot Backport for Security

Gero Treuner (Author and Copyright 2018-03-04)
Stuttgart (Germany)
www.70t.de/projects/dovecot_backport_2018-03-03/
License GPLv3+

Introduction

On the occasion of the current Debian security advisory (DSA-4130-1) I started investigating whether a security fix for "oldoldstable" — which I am still using on my mail server — can likely expected.

The Security Tracker Information and the QA page (maybe moved forward at the time of your reading) usually gives an overview. In the research I stumbled over a setuid security issue here. This kind of things is generally serious. In the situation that the Wheezy version is older than the fixed version and that's a significant structural change, the work to backport it to the old sources is not worth for a distribution first released back in 2013.

So it's strongly advisable to upgrade to at least the next minor version, where one can be found in wheezy backports, but ... without any security fixes: I learned that wheezy backports is closed, so definetely no hope. Ok, it's open source, so probably my turn to jump in ...

You can download the result here — unsecurely because neither signed nor encryped. So please build the package by yourself following the instructions below rather than just downloading the binary packages! I bother writing this also to show that you can do that.

This is the right place to express a big thank you to all Debian contributors to make all this possible — in current and in outdated (via the Debian LTS programme) releases. The "old" wheezy machine works too well to have a real need for a general upgrade, so I can be lazy most of the time (but not today) ... The Exim security fix last year in 2017 was a bit of a pain because it broke my setup, but nevertheless highly welcome because it must be done for security reasons ;-)

Approach

1. Fetch the best Debian source package for Dovecot version >=2.2.7
2. Adjust files to meet backport requirements for Debian 7.11 (wheezy)
3. Build, install and verify

Detailed Steps

Of course your build machine must be prepared with a compiler and all other necessary packages for a Debian build. Usually this is achieved with the packages build-essential and fakeroot. For further reading klick the right chapter in the Debian New Maintainers' Guide..

Fetch the source package

I chose the next Debian release as a base, because risk that something goes wrong increases with advanced releases, and Debian 8 (jessie) is still getting security fixes.

If you have a Jessie machine (easier to check signatures):

1. Ensure to have the packages dpkg-dev and debian-keyring installed.
2. Then extract and patch the sources in one go, and check for absence of signature warnings:

        apt-get source dovecot
       

3. Finally move all files to your Debian Wheezy machine.

Otherwise:

1. Open the source page in packages.debian.org (via link or package search for Jessie/oldstable).
2. Download the following files below the headline "Download Source Package":
   dovecot_2.2.13-12~deb8u4.dsc
   dovecot_2.2.13.orig.tar.gz
   dovecot_2.2.13-12~deb8u4.debian.tar.xz
   Note: Version can be newer in case of more security fixes.
3. Check the integry of downloaded files. Basically you should ensure the server to be the official Debian server and a perfectly valid TLS connection. Comparing signatures doesn't add security value here, if not taken from a trustworthy independent source. A thorough check would include getting the Debian developer's public key verifying the signature of the *.dsc file and then the checksums of the packages.
4. Extract and patch the sources:

        dpkg-source -x dovecot_2.2.13-12~deb8u4.dsc
       

Apply changes for backport to Wheezy

The instructions here apply to this specific situation and can't be used as a template for backporting. In the general situation of seeking for a package with new security fixes you should examine the changes between the given backported and original package.

There are 2 issues here:

• Systemd: Between this versions Debian changed the default for the so-called init system from SysV to Systemd, so this must be reverted.
• libclucene (library): In the new version the additional package dovecot-lucene (adds a powerful search mechanism) is available, but the library version in Wheezy is not supported. So support for this packages must be removed.
  Note: Not really, because the library libclucene is only a build dependency, not a runtime dependency (statically linked). If you are not building other packages with the old libclucene version (unlikely) and therefore don't have a conflict, you can just build and install the new one from Jessie — from source (because the binary packages are linked against glibc 2.14 where Wheezy only provides 2.13).

The backport is done by editing the relevant Debian files, which are located in the directory dovecot-2.2.13/debian. The generic dumb approach to remove things is to search for keywords and think about the scope of change. This can be removal of an element, switching an option to a different value, removal of a whole section or even a file. This works pretty well here, but if doing yourself you won't know it before actually building the packages ...

Patches in directory debian/patches

The file series defines which patches are applied and it's order. As nothing looks related to systemd or libclucene, we leave this as-is.

File debian/control

This file contains overall information about the resulting packages. The build dependencies should always be checked for undesired components and unavailable versions:
In the line starting with "Build-Depends:" we kick out dh-systemd and libclucene-dev (>= 2.3).
In the line starting with "Suggests:" we kick out dovecot-lucene. As said we're not going to build that package.
For the same reason we get rid of the section starting with "Package: dovecot-lucene"

File debian/rules

This file defines the build process. In the configuration command we see and delete --with-lucene and --with-systemdsystemunitdir=auto line-wise. There are more commands where lucene files are copied (following a comment "# lucene") and debian helper invocations for systemd, which we don't want: dh_systemd_enable and dh_systemd_start, also deleted.

Package specific files debian/dovecot-*.dirs etc.

These files contain installing instructions for the packages. We delete the ones for the lucene-related package:
dovecot-lucene.dirs
dovecot-lucene.links
dovecot-lucene.lintian-overrides
dovecot-lucene.triggers

File debian/changelog

This file does what the name indicates: You should add an entry at the top following the same format.

Here are all changes in unified diff format. This can be downloaded from www.70t.de/download/dovecot-wheezy-backport/dovecot-2.2.13-bpo-wheezy.diff.

Note for those not familiar with diff format:
Just try, with little exercise it is easy to read:
Lines starting with diff, ---, +++ describe 2 compared files.
Lines surrounded by @@ open a comparison chunk by the line numbers (you can ignore the numbers, chunks are in order of appearance).
Within a chunk the first character indicates the type of change: " " (blank) means unchanged (present in both files), "-" (minus) means deleted (present only in first/old file), "+" (plus) means added (present only in second/new file).
Lines starting with Only in ... reference files which are only present on one side: Which one is seen from the path.

Note for the rest ;-)
As guessed, patches can be automatically applied using the patch command. For details use the command man patch (and don't forget to have the package of that name installed).

diff -ur dovecot-2.2.13-jessie/debian/changelog dovecot-2.2.13-bpo/debian/changelog
--- dovecot-2.2.13-jessie/debian/changelog	2018-03-01 18:12:05.000000000 +0100
+++ dovecot-2.2.13-bpo/debian/changelog	2018-03-04 12:59:57.745971388 +0100
@@ -1,3 +1,11 @@
+dovecot (1:2.2.13-12~bpo70+1) wheezy-backports; urgency=high
+
+  * Rebuild for wheezy-backports from recent version with security fixes
+  * Disable systemd which is not in wheezy
+  * Disable lucene because liblucene is too old in wheezy
+
+ -- Gero Treuner <gt_72_debian.org@innocircle.com>  Sat, 03 Mar 2018 13:21:28 +0100
+
 dovecot (1:2.2.13-12~deb8u4) jessie-security; urgency=high
 
   * [eb6eab8] Fix CVE-2017-14461: rfc822_parse_domain information leak
diff -ur dovecot-2.2.13-jessie/debian/control dovecot-2.2.13-bpo/debian/control
--- dovecot-2.2.13-jessie/debian/control	2018-03-01 18:12:05.000000000 +0100
+++ dovecot-2.2.13-bpo/debian/control	2018-03-04 12:54:06.842176516 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
 Uploaders: Jaldhar H. Vyas <jaldhar@debian.org>, Fabio Tranchitella <kobold@debian.org>, Joel Johnson <mrjoel@lixil.net>, Marco Nenciarini <mnencia@debian.org>, Jelmer Vernooij <jelmer@debian.org>, Apollon Oikonomopoulos <apoikos@debian.org>
-Build-Depends: debhelper (>= 7.2.3~), dh-autoreconf, dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, libclucene-dev (>= 2.3), liblzma-dev, libexttextcat-dev, libstemmer-dev, autotools-dev
+Build-Depends: debhelper (>= 7.2.3~), dh-autoreconf, dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, po-debconf, lsb-release, liblzma-dev, libexttextcat-dev, libstemmer-dev, autotools-dev
 Standards-Version: 3.9.6
 Homepage: http://dovecot.org/
 Vcs-Git: git://anonscm.debian.org/collab-maint/dovecot.git
@@ -12,7 +12,7 @@
 Package: dovecot-core
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020)
-Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr, dovecot-lucene
+Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr
 Provides: dovecot-common, dovecot-abi-${dovecot:ABI-Version}
 Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4)
 Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4)
@@ -180,18 +180,6 @@
  .
  This package provides Solr full text search support for Dovecot.
 
-Package: dovecot-lucene
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
-Description: secure POP3/IMAP server - Lucene support
- Dovecot is a mail server whose major goals are security and extreme
- reliability. It tries very hard to handle all error conditions and verify
- that all data is valid, making it nearly impossible to crash. It supports
- mbox/Maildir and it's own dbox/mdbox formats, and should also be pretty
- fast, extensible, and portable.
- .
- This package provides Lucene full text search support for Dovecot.
-
 Package: dovecot-dbg
 Section: debug
 Priority: extra
Only in dovecot-2.2.13-jessie/debian: dovecot-lucene.dirs
Only in dovecot-2.2.13-jessie/debian: dovecot-lucene.links
Only in dovecot-2.2.13-jessie/debian: dovecot-lucene.lintian-overrides
Only in dovecot-2.2.13-jessie/debian: dovecot-lucene.triggers
diff -ur dovecot-2.2.13-jessie/debian/rules dovecot-2.2.13-bpo/debian/rules
--- dovecot-2.2.13-jessie/debian/rules	2018-03-01 18:12:05.000000000 +0100
+++ dovecot-2.2.13-bpo/debian/rules	2018-03-04 12:54:49.033670547 +0100
@@ -41,7 +41,6 @@
 		        --with-solr \
 	            --with-ioloop=best \
 	            --with-libwrap \
-	            --with-lucene \
 	            --host=$(DEB_HOST_GNU_TYPE) \
 	            --build=$(DEB_BUILD_GNU_TYPE) \
 	            --prefix=/usr \
@@ -52,7 +51,6 @@
 	            --infodir=\$${prefix}/share/info \
 	            --with-moduledir=\$${prefix}/lib/dovecot/modules \
 	            --disable-rpath \
-	            --with-systemdsystemunitdir=auto \
 	            --disable-static
 	$(MAKE) dovecot-config
 	# Pigeonhole
@@ -186,9 +184,6 @@
 	mv $(CURDIR)/debian/dovecot-core/usr/lib/dovecot/modules/lib??_fts_solr_* $(CURDIR)/debian/dovecot-solr/usr/lib/dovecot/modules
 	mv $(CURDIR)/doc/solr-schema.xml $(CURDIR)/debian/dovecot-solr/usr/share/dovecot
 
-	# lucene
-	mv $(CURDIR)/debian/dovecot-core/usr/lib/dovecot/modules/lib??_fts_lucene_* $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules
-
 	# dev
 	mv $(CURDIR)/debian/dovecot-core/usr/include/* $(CURDIR)/debian/dovecot-dev/usr/include
 	mv $(CURDIR)/debian/dovecot-core/usr/lib/dovecot/dovecot-config $(CURDIR)/debian/dovecot-dev/usr/lib/dovecot
@@ -223,9 +218,7 @@
 	dh_installexamples -a
 	dh_installpam -a
 	mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot
-	dh_systemd_enable
 	dh_installinit -pdovecot-core --init-script=dovecot -u"defaults 20"
-	dh_systemd_start
 	dh_installman -a
 	dh_installman -p dovecot-core debian/maildirmake.dovecot.1
 	dh_installdebconf -a
  

Building and Verifying

Now when editing is done, let's cross fingers and the computer sweat. From within the source directory the build is triggered by

   dpkg-buildpackage
  

On successful build a couple of *.deb files appear, ready for installation. Please see /usr/share/doc/dovecot-core/README.Debian.gz . Probably you want to create a new group for the dovecot user for security reasons.

For my scenario with IMAP/POP3 service and Exim authenticating against dovecot configuration files could remain as-is. Smoke test also covering authentication were fine.

[Legal Info / Impressum / Data Protection Declaration] / Last change 2018-03-04