Bug#1069690: bookworm-pu: package libkf5ksieve/4:22.12.3-1+deb12u1

Mon, 22 Apr 2024 12:39:15 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: delta...@debian.org
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.

[ Impact ]
Potentially sensitive passwords are logged on a server.

[ Tests ]
Affected user has successfully tested the patched version.

[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
1-line patch to fix the bug.

diffstat for libkf5ksieve-22.12.3 libkf5ksieve-22.12.3

 changelog                   |    8 ++++++++
 patches/password_leak.patch |   30 ++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 39 insertions(+)

diff -Nru libkf5ksieve-22.12.3/debian/changelog 
libkf5ksieve-22.12.3/debian/changelog
--- libkf5ksieve-22.12.3/debian/changelog       2023-03-01 21:32:56.000000000 
+0100
+++ libkf5ksieve-22.12.3/debian/changelog       2024-04-22 17:43:15.000000000 
+0200
@@ -1,3 +1,11 @@
+libkf5ksieve (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+  [ Patrick Franz ]
+  * Add patch to prevent leaking passwords into server-side logs
+    (Closes: #1069163).
+
+ -- Patrick Franz <delta...@debian.org>  Mon, 22 Apr 2024 17:43:15 +0200
+
 libkf5ksieve (4:22.12.3-1) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru libkf5ksieve-22.12.3/debian/patches/password_leak.patch 
libkf5ksieve-22.12.3/debian/patches/password_leak.patch
--- libkf5ksieve-22.12.3/debian/patches/password_leak.patch     1970-01-01 
01:00:00.000000000 +0100
+++ libkf5ksieve-22.12.3/debian/patches/password_leak.patch     2024-04-19 
13:08:00.000000000 +0200
@@ -0,0 +1,30 @@
+From 6b460ba93ac4ac503ba039d0b788ac7595120db1 Mon Sep 17 00:00:00 2001
+From: Laurent Montel <mon...@kde.org>
+Date: Wed, 8 Mar 2023 06:51:22 +0100
+Subject: [PATCH] Fix 467034: libksieve/src/kmanagesieve/session.cpp assigns
+ password to username & gets logged(
+
+Bug investigate by "bib" thanks
+BUG: 467034
+BUG: 437858
+FIXED-IN: 5.23.0
+---
+ src/kmanagesieve/session.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kmanagesieve/session.cpp b/src/kmanagesieve/session.cpp
+index 26fd7b59..0e40d721 100644
+--- a/src/kmanagesieve/session.cpp
++++ b/src/kmanagesieve/session.cpp
+@@ -273,7 +273,7 @@ KManageSieve::AuthDetails 
Session::requestAuthDetails(const QUrl &url)
+     AuthDetails ad;
+     ad.valid = false;
+     if (dlg->exec()) {
+-        ad.username = dlg->password();
++        ad.username = dlg->username();
+         ad.password = dlg->password();
+         ad.valid = true;
+     }
+-- 
+GitLab
+
diff -Nru libkf5ksieve-22.12.3/debian/patches/series 
libkf5ksieve-22.12.3/debian/patches/series
--- libkf5ksieve-22.12.3/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ libkf5ksieve-22.12.3/debian/patches/series  2024-04-19 13:08:20.000000000 
+0200
@@ -0,0 +1 @@
+password_leak.patch

Reply via email to