Bug#1069836: bullseye-pu: package libkf5ksieve/20.08.3-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: deltaone@debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
This is the same request as for bookworm (#1069690).
Relevant bug report is #1069163.
[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.
[ Impact ]
Potentially sensitive passwords are logged on a server.
[ Tests ]
Affected user has successfully tested the patched version.
[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1-line patch to fix the bug.
diffstat for libkf5ksieve-20.08.3 libkf5ksieve-20.08.3
changelog | 8 ++++++++
patches/password_leak.patch | 30 ++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 39 insertions(+)
diff -Nru libkf5ksieve-20.08.3/debian/changelog libkf5ksieve-20.08.3/debian/changelog
--- libkf5ksieve-20.08.3/debian/changelog 2020-12-16 01:50:06.000000000 +0100
+++ libkf5ksieve-20.08.3/debian/changelog 2024-04-25 12:37:50.000000000 +0200
@@ -1,3 +1,11 @@
+libkf5ksieve (4:20.08.3-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Add patch to prevent leaking passwords into server-side logs
+ (Closes: #1069163).
+
+ -- Patrick Franz <deltaone@debian.org> Thu, 25 Apr 2024 12:37:50 +0200
+
libkf5ksieve (4:20.08.3-1) unstable; urgency=medium
[ Sandro Knauß ]
diff -Nru libkf5ksieve-20.08.3/debian/patches/password_leak.patch libkf5ksieve-20.08.3/debian/patches/password_leak.patch
--- libkf5ksieve-20.08.3/debian/patches/password_leak.patch 1970-01-01 01:00:00.000000000 +0100
+++ libkf5ksieve-20.08.3/debian/patches/password_leak.patch 2024-04-25 12:36:16.000000000 +0200
@@ -0,0 +1,30 @@
+From 6b460ba93ac4ac503ba039d0b788ac7595120db1 Mon Sep 17 00:00:00 2001
+From: Laurent Montel <montel@kde.org>
+Date: Wed, 8 Mar 2023 06:51:22 +0100
+Subject: [PATCH] Fix 467034: libksieve/src/kmanagesieve/session.cpp assigns
+ password to username & gets logged(
+
+Bug investigate by "bib" thanks
+BUG: 467034
+BUG: 437858
+FIXED-IN: 5.23.0
+---
+ src/kmanagesieve/session.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kmanagesieve/session.cpp b/src/kmanagesieve/session.cpp
+index 26fd7b59..0e40d721 100644
+--- a/src/kmanagesieve/session.cpp
++++ b/src/kmanagesieve/session.cpp
+@@ -273,7 +273,7 @@ KManageSieve::AuthDetails Session::requestAuthDetails(const QUrl &url)
+ AuthDetails ad;
+ ad.valid = false;
+ if (dlg->exec()) {
+- ad.username = dlg->password();
++ ad.username = dlg->username();
+ ad.password = dlg->password();
+ ad.valid = true;
+ }
+--
+GitLab
+
diff -Nru libkf5ksieve-20.08.3/debian/patches/series libkf5ksieve-20.08.3/debian/patches/series
--- libkf5ksieve-20.08.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libkf5ksieve-20.08.3/debian/patches/series 2024-04-25 12:36:09.000000000 +0200
@@ -0,0 +1 @@
+password_leak.patch
Reply to: