Your message dated Sat, 29 Jun 2024 10:47:47 +0000
with message-id <e1snvcr-002brz...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1069836,
regarding bullseye-pu: package libkf5ksieve/20.08.3-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069836
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: delta...@debian.org
User: release.debian....@packages.debian.org
Usertags: pu
This is the same request as for bookworm (#1069690).
Relevant bug report is #1069163.
[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.
[ Impact ]
Potentially sensitive passwords are logged on a server.
[ Tests ]
Affected user has successfully tested the patched version.
[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1-line patch to fix the bug.
diffstat for libkf5ksieve-20.08.3 libkf5ksieve-20.08.3
changelog | 8 ++++++++
patches/password_leak.patch | 30 ++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 39 insertions(+)
diff -Nru libkf5ksieve-20.08.3/debian/changelog
libkf5ksieve-20.08.3/debian/changelog
--- libkf5ksieve-20.08.3/debian/changelog 2020-12-16 01:50:06.000000000
+0100
+++ libkf5ksieve-20.08.3/debian/changelog 2024-04-25 12:37:50.000000000
+0200
@@ -1,3 +1,11 @@
+libkf5ksieve (4:20.08.3-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Add patch to prevent leaking passwords into server-side logs
+ (Closes: #1069163).
+
+ -- Patrick Franz <delta...@debian.org> Thu, 25 Apr 2024 12:37:50 +0200
+
libkf5ksieve (4:20.08.3-1) unstable; urgency=medium
[ Sandro Knauß ]
diff -Nru libkf5ksieve-20.08.3/debian/patches/password_leak.patch
libkf5ksieve-20.08.3/debian/patches/password_leak.patch
--- libkf5ksieve-20.08.3/debian/patches/password_leak.patch 1970-01-01
01:00:00.000000000 +0100
+++ libkf5ksieve-20.08.3/debian/patches/password_leak.patch 2024-04-25
12:36:16.000000000 +0200
@@ -0,0 +1,30 @@
+From 6b460ba93ac4ac503ba039d0b788ac7595120db1 Mon Sep 17 00:00:00 2001
+From: Laurent Montel <mon...@kde.org>
+Date: Wed, 8 Mar 2023 06:51:22 +0100
+Subject: [PATCH] Fix 467034: libksieve/src/kmanagesieve/session.cpp assigns
+ password to username & gets logged(
+
+Bug investigate by "bib" thanks
+BUG: 467034
+BUG: 437858
+FIXED-IN: 5.23.0
+---
+ src/kmanagesieve/session.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kmanagesieve/session.cpp b/src/kmanagesieve/session.cpp
+index 26fd7b59..0e40d721 100644
+--- a/src/kmanagesieve/session.cpp
++++ b/src/kmanagesieve/session.cpp
+@@ -273,7 +273,7 @@ KManageSieve::AuthDetails
Session::requestAuthDetails(const QUrl &url)
+ AuthDetails ad;
+ ad.valid = false;
+ if (dlg->exec()) {
+- ad.username = dlg->password();
++ ad.username = dlg->username();
+ ad.password = dlg->password();
+ ad.valid = true;
+ }
+--
+GitLab
+
diff -Nru libkf5ksieve-20.08.3/debian/patches/series
libkf5ksieve-20.08.3/debian/patches/series
--- libkf5ksieve-20.08.3/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libkf5ksieve-20.08.3/debian/patches/series 2024-04-25 12:36:09.000000000
+0200
@@ -0,0 +1 @@
+password_leak.patch
--- End Message ---
--- Begin Message ---
Version: 11.10
The upload requested in this bug has been released as part of 11.10.
--- End Message ---
