Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: delta...@debian.org User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] There is a bug in libkf5sieve where the password instead of the username is sent when using managesieve and could therefore be logged on a server as the login will fail. [ Impact ] Potentially sensitive passwords are logged on a server. [ Tests ] Affected user has successfully tested the patched version. [ Risks ] The patch is trivial (1 line is changed) and it's quite obvious that it was a bug in the first place. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] 1-line patch to fix the bug.
diffstat for libkf5ksieve-22.12.3 libkf5ksieve-22.12.3 changelog | 8 ++++++++ patches/password_leak.patch | 30 ++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 39 insertions(+) diff -Nru libkf5ksieve-22.12.3/debian/changelog libkf5ksieve-22.12.3/debian/changelog --- libkf5ksieve-22.12.3/debian/changelog 2023-03-01 21:32:56.000000000 +0100 +++ libkf5ksieve-22.12.3/debian/changelog 2024-04-22 17:43:15.000000000 +0200 @@ -1,3 +1,11 @@ +libkf5ksieve (4:22.12.3-1+deb12u1) bookworm; urgency=medium + + [ Patrick Franz ] + * Add patch to prevent leaking passwords into server-side logs + (Closes: #1069163). + + -- Patrick Franz <delta...@debian.org> Mon, 22 Apr 2024 17:43:15 +0200 + libkf5ksieve (4:22.12.3-1) unstable; urgency=medium [ Patrick Franz ] diff -Nru libkf5ksieve-22.12.3/debian/patches/password_leak.patch libkf5ksieve-22.12.3/debian/patches/password_leak.patch --- libkf5ksieve-22.12.3/debian/patches/password_leak.patch 1970-01-01 01:00:00.000000000 +0100 +++ libkf5ksieve-22.12.3/debian/patches/password_leak.patch 2024-04-19 13:08:00.000000000 +0200 @@ -0,0 +1,30 @@ +From 6b460ba93ac4ac503ba039d0b788ac7595120db1 Mon Sep 17 00:00:00 2001 +From: Laurent Montel <mon...@kde.org> +Date: Wed, 8 Mar 2023 06:51:22 +0100 +Subject: [PATCH] Fix 467034: libksieve/src/kmanagesieve/session.cpp assigns + password to username & gets logged( + +Bug investigate by "bib" thanks +BUG: 467034 +BUG: 437858 +FIXED-IN: 5.23.0 +--- + src/kmanagesieve/session.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kmanagesieve/session.cpp b/src/kmanagesieve/session.cpp +index 26fd7b59..0e40d721 100644 +--- a/src/kmanagesieve/session.cpp ++++ b/src/kmanagesieve/session.cpp +@@ -273,7 +273,7 @@ KManageSieve::AuthDetails Session::requestAuthDetails(const QUrl &url) + AuthDetails ad; + ad.valid = false; + if (dlg->exec()) { +- ad.username = dlg->password(); ++ ad.username = dlg->username(); + ad.password = dlg->password(); + ad.valid = true; + } +-- +GitLab + diff -Nru libkf5ksieve-22.12.3/debian/patches/series libkf5ksieve-22.12.3/debian/patches/series --- libkf5ksieve-22.12.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libkf5ksieve-22.12.3/debian/patches/series 2024-04-19 13:08:20.000000000 +0200 @@ -0,0 +1 @@ +password_leak.patch