Bug#1069836: bullseye-pu: package libkf5ksieve/20.08.3-1+deb11u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Thu, Apr 25, 2024 at 05:52:55PM +0200, Patrick Franz wrote:
> [ Reason ]
> There is a bug in libkf5sieve where the password instead of the
> username is sent when using managesieve and could therefore be
> logged on a server as the login will fail.

Please go ahead (you may also wish to update the found versions in the
original bug report).

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1069836: bullseye-pu: package libkf5ksieve/20.08.3-1+deb11u1

[Patrick Franz]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: delta...@debian.org
User: release.debian@packages.debian.org
Usertags: pu

This is the same request as for bookworm (#1069690).
Relevant bug report is #1069163.

[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.

[ Impact ]
Potentially sensitive passwords are logged on a server.

[ Tests ]
Affected user has successfully tested the patched version.

[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
1-line patch to fix the bug.
diffstat for libkf5ksieve-20.08.3 libkf5ksieve-20.08.3

 changelog   |8 
 patches/password_leak.patch |   30 ++
 patches/series  |1 +
 3 files changed, 39 insertions(+)

diff -Nru libkf5ksieve-20.08.3/debian/changelog 
libkf5ksieve-20.08.3/debian/changelog
--- libkf5ksieve-20.08.3/debian/changelog   2020-12-16 01:50:06.0 
+0100
+++ libkf5ksieve-20.08.3/debian/changelog   2024-04-25 12:37:50.0 
+0200
@@ -1,3 +1,11 @@
+libkf5ksieve (4:20.08.3-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Add patch to prevent leaking passwords into server-side logs
+(Closes: #1069163).
+
+ -- Patrick Franz   Thu, 25 Apr 2024 12:37:50 +0200
+
 libkf5ksieve (4:20.08.3-1) unstable; urgency=medium
 
   [ Sandro Knauß ]
diff -Nru libkf5ksieve-20.08.3/debian/patches/password_leak.patch 
libkf5ksieve-20.08.3/debian/patches/password_leak.patch
--- libkf5ksieve-20.08.3/debian/patches/password_leak.patch 1970-01-01 
01:00:00.0 +0100
+++ libkf5ksieve-20.08.3/debian/patches/password_leak.patch 2024-04-25 
12:36:16.0 +0200
@@ -0,0 +1,30 @@
+From 6b460ba93ac4ac503ba039d0b788ac7595120db1 Mon Sep 17 00:00:00 2001
+From: Laurent Montel 
+Date: Wed, 8 Mar 2023 06:51:22 +0100
+Subject: [PATCH] Fix 467034: libksieve/src/kmanagesieve/session.cpp assigns
+ password to username & gets logged(
+
+Bug investigate by "bib" thanks
+BUG: 467034
+BUG: 437858
+FIXED-IN: 5.23.0
+---
+ src/kmanagesieve/session.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kmanagesieve/session.cpp b/src/kmanagesieve/session.cpp
+index 26fd7b59..0e40d721 100644
+--- a/src/kmanagesieve/session.cpp
 b/src/kmanagesieve/session.cpp
+@@ -273,7 +273,7 @@ KManageSieve::AuthDetails 
Session::requestAuthDetails(const QUrl )
+ AuthDetails ad;
+ ad.valid = false;
+ if (dlg->exec()) {
+-ad.username = dlg->password();
++ad.username = dlg->username();
+ ad.password = dlg->password();
+ ad.valid = true;
+ }
+-- 
+GitLab
+
diff -Nru libkf5ksieve-20.08.3/debian/patches/series 
libkf5ksieve-20.08.3/debian/patches/series
--- libkf5ksieve-20.08.3/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ libkf5ksieve-20.08.3/debian/patches/series  2024-04-25 12:36:09.0 
+0200
@@ -0,0 +1 @@
+password_leak.patch