[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please update courier security tracker information

Hi,

On Mon, Jul 21, 2025 at 04:21:02PM -0700, Soren Stoutner wrote:
> Bonaccorso,
> 
> On Monday, June 30, 2025 10:58:37 PM Mountain Standard Time Soren Stoutner 
> wrote:
> > On Monday, June 30, 2025 10:26:04 PM Mountain Standard Time Salvatore
> > 
> > Bonaccorso wrote:
> > > Hi Soren,
> > > 
> > > On Thu, Jun 12, 2025 at 11:39:24AM -0700, Soren Stoutner wrote:
> > > > On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore
> > > > 
> > > > Bonaccorso wrote:
> > > > > Hi Soren,
> > > > > 
> > > > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote:
> > > > > > The security tracker for courier list two pieces of inaccurate
> > > > 
> > > > information.
> > > > 
> > > > > > https://security-tracker.debian.org/tracker/source-package/courier
> > > > > > 
> > > > > > 1.  CVE-2004-2313 was fixed in Debian a long time ago.  I think this
> > 
> > was
> > 
> > > > not
> > > > 
> > > > > > auto-detected because SqWebMail uses a different version numbering
> > > > > > scheme
> > > > > > than the source package it is built from.  CVE-2004-2313 affected
> > > > 
> > > > SqWebMail
> > > > 
> > > > > > 3.4.1 through 3.6.1.  The current version in Debian is 
> 6.2.9+1.4.1-2.
> > > > > > 
> > > > > > https://packages.debian.org/unstable/sqwebmail
> > > > > > 
> > > > > > 2.  It is unclear if CVE-2005-1308 was ever actually a security bug.
> > > > > > The
> > > > > > Debian bug report doesn’t think so.
> > > > > > 
> > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
> > > > > > 
> > > > > > The CVE submission doesn’t list any vulnerable or fixed versions, 
> and
> > > > > > all
> > > > > > the
> > > > > > links on the CVE are either dead or unuseful.
> > > > > > 
> > > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308
> > > > > 
> > > > > Both are amrked unimportant for certain reasons. For the former if you
> > > > > have an exact fixed version where the fix landed in a unstable upload
> > > > > then we can update the metadata. Just adding a fixed version on latest
> > > > > is wrong.
> > > > 
> > > > CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail
> > 
> > 4.0.7,
> > 
> > > > which is newer than the last vulnerable version 3.6.1.
> > > 
> > > This is quite unlikely if you compare the changes between 0.47-2 and
> > > 0.47-3 which only fixed a typo closing #276774. And furthermore we
> > > cannot and will not trust CVE description for version ranges as they
> > > may only reflect a known current state at a given point in time,
> > > sometimes they are accurate, sometimes they are not, so we need a
> > > clear evidence where the fix landed, then we can update the metadata.
> > > 
> > > If not we err on the safe side. And again note that those CVEs are
> > > marked unimportant.
> > > 
> > > If you can point me to the version change after SqWebMail 3.6.1
> > > implementing the said security feature in the NOTE we can try to take
> > > an effort to correct this historic metadata.
> > 
> > When I wrote the above I was indicating that 0.47-3 was the first fixed
> > version that I can verify shipped in Debian.  This came from:
> > 
> > https://snapshot.debian.org/binary/sqwebmail/
> > 
> > This is so long ago that the information about the old packages is sporadic 
> as
> > it jumps from 0.37.3-2.9 to 0.47-3.  So, perhaps my previous email should
> > have more accurately said that the fix landed sometime between 0.37.3-2.9 
> and
> > 0.47-3, but for certain it was contained in 0.47-3.
> > 
> > This can be seen by downloading both packages and looking at the details
> > inside them.
> > 
> > 0.37.3-2.9:
> > 
> > /usr/share/doc/sqwebmail/changelog.gz shows that this shipped SqWebMail 
> 3.3.2,
> > released on 2002-02-25
> > 
> > This version was not affected by the CVE, as it was introduced in version
> > 3.4.1.  Presumably, Debian at one time did ship an affected version, 
> probably
> > only in testing and unstable, but this is not preserved on
> > snapshot.debian.org.
> > 
> > 0.47-3:
> > 
> > /usr/share/doc/sqwebmail.changelog.gz shows that this shipped a version of
> > SqWebMail three commits past 4.0.7, dated 2004-09-02.  This includes the 
> fixed
> > version of 3.6.1
> > 
> > The commit history on GitHub doesn’t go back that far, because it didn’t 
> exist
> > as a project on GitHub in 2003 (GitHub wasn’t even founded until 2008).  So,
> > it is hard to know exactly what was changed in each commit.
> > 
> > https://github.com/svarshavchik/courier
> > 
> > But it appears this commit from 2003-10-10 described in the 0.47-3 changelog
> > is what fixed the CVE:
> > 
> > "sqwebmail.c (error3): More informative error messages.”
> > 
> > This tracks with the description of the CVE:
> > 
> > Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for
> > incorrect passwords versus correct passwords on non-mail-enabled accounts
> > (such as root), which allows remote attackers to guess the root password via
> > brute force attacks.
> > 
> > Note that the CVE was filed in 2004, after the fix had already been applied 
> to
> > the source in 2003.  This was why the person filing the CVE could 
> confidently
> > include the first and last affected version at the time of the filing.
> 
> Do you have any further questions about the additional information I provided 
> in the previous email?

I raised already some items in the previous mail. 

- CVE descriptions cannot be trusted. In particular we cannot
  determine that the version after 3.6.1  fixes the issue. Neither is
  there a clear "mapping" that "more informative error messages" while
  there is at least sime indication that it *may* relate to "generates
  different error messages for incorrect passwords versus correct
  passwords". But "appers to be" is non enough, very improtantly when
  we touch stuff going back over 20 years.

- How do you know that the person filling the CVE requested in when
  and after the fix was applied? The CVE was reserved in
  2005-08-16T00:00:00, published in 2005-08-16T04:00:00. We know some
  updated happend on 2017-07-10T14:57:01 and CVE metadata was last
  updated on 2024-08-08T01:22:13.536Z. From the CVE record we do not
  know hwo requested it from MITRE and so neither we can get
  confirmation on the claims from that person.

- Public information still accessible is not avialable anymore in this
  point in time, modulo the IBM one which stated that as per 1.
  september 2024 no fix was yet available.

- We marked the issue unimportant bringing it away from our radars.

- When touching historic entries either is is 100% clear what was the
  fix or leave the entry untouched.

- The CVE have no further helpful information from our cross distro
  references.

- you can try to reach out to courier upstream to get a public answer
  referenceable on the fix for CVE-2004-2313 which we can use as
  proof.

Regards,
Salvatore
Reply to: