Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1234260lqd;
        Thu, 25 Apr 2024 09:21:10 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCU2YT4y6i3/FXY/yng+B2OXKGi5fQHSfYE9kkFCmXnxcDxJ5MZrrIkY2WScCPCezyfsH6zsrcgZlGg6y1HX5uDiScZrqILymPVDQRtSOw==
X-Google-Smtp-Source: AGHT+IHT1DOLrc4puMZF98owcdDMMc0KP8TX9h7MB8owsmwvXkocHf6QqcEktGh4fUaMPumW5EtJ
X-Received: by 2002:a17:906:f196:b0:a52:42ee:4e10 with SMTP id gs22-20020a170906f19600b00a5242ee4e10mr192181ejb.8.1714062070382;
        Thu, 25 Apr 2024 09:21:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714062070; cv=none;
        d=google.com; s=arc-20160816;
        b=jgbWeA0P7cxU0ek8L7F7u2NFPiUlsybVafmSGm37Ybd1Ov7ABQChF8eIKOOensLq3Y
         7DDXSRkPSLhA3gndU0+ABuwlMCjCl0wXorU6z0mmLzvA+RrmgkeP3LYbo+QKa5Q9DYlw
         tRQjDG/u7TV7Kw3sjmyCDiEE3Qo9+OCjxRHhIVVwyMwiiT4Gmd8tRa3/0Xi/xy27dM6f
         jJ2MiyVAf2K0OOHCo6GICMBDigsAKo5cXGBAgJ6uqeHD6PGXML0ziHw6+Ksr7nXp2KL/
         uuMl2Nc2FSojEzJtyFdOta4XuvfqGEibGtOLxbr55d6C0XuHTIp5x+vU9h8wTe5nr0eY
         2fFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:message-id:date:to:from:dkim-signature
         :delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=iVMQQN2uX2gDT3xUI1R1LGO98AvFdL88y9dVExh3lQk=;
        fh=cPMrcyWw5y5TsgNNGjyVaq+JOg6a/a2eb/H7AkwnVXU=;
        b=qbpCFH5+GfzVGJImrZFOt2tj0Oua1K7toAJBp3WiPyO4qAxvJxzDfLdZw0nTRJsAah
         ZGwOyqMEjA19vGmXUi4YcZTJXFQxRwCBiKro5aZ8NNIO2y74Sfh0rCuA1tWnKt7VbPc0
         5l/KZRXr74I8sfrBhya9bxdz6VW+QJXKSqZc8JysDoRtyHwa7ueD4vOE2mVA0ftqr2rK
         eOTjRpVCstXYxk2Fi+i3MhsGzVDmgZroRm1RHBAElZReOmOhpk4O7DWcp8DPc1xQkH66
         pz7ykCy3PesYskS07dUZ5ckp5uKziT3fnDNH+tSSX34rlD9q/zzvTV79hqAYyAsZpcgk
         SZwA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@sotecware.net header.s=seq2-up1 header.b=dClBRwQ4;
       spf=pass (google.com: domain of oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id hp16-20020a1709073e1000b00a5565142899si10144690ejc.335.2024.04.25.09.21.10
        for <linux.lists.archive@gmail.com>;
        Thu, 25 Apr 2024 09:21:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@sotecware.net header.s=seq2-up1 header.b=dClBRwQ4;
       spf=pass (google.com: domain of oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30083-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 24063 invoked by uid 550); 25 Apr 2024 16:20:47 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 20132 invoked from network); 25 Apr 2024 16:11:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sotecware.net;
	s=seq2-up1; t=1714061455;
	bh=iVMQQN2uX2gDT3xUI1R1LGO98AvFdL88y9dVExh3lQk=;
	h=From:To:Subject:Date;
	b=dClBRwQ4/bjSFw4Gwf7CGbR2pJ439m5A6+KYHnJhbvB3mxwkEVwVPbQ8NYHchX9N8
	 5m32p6u9Pq56ruGfzDzmcYX2ztFxnq9lQW9dOevERZXQiR4W0f3WQkJaLdHMZClQer
	 aii7e2KEOC5IQetIe+4x7U6BfVvUVLsWFd6yC/vNMuH17tSczsWtIpbIJ9I+5P2Lkr
	 jUhUyrkYsZxXYadObsSzBnMUf5zu3AW5LuLxp6qMcIAUrUkgpKniB2Km9xYWDTbiFr
	 lXdIvbGmS0tYO2uUK7+4AhL+PhsirbB+18p2ozLnU6lFHHSzyED/foWbdHRjNAURkm
	 ScHlIPA8ctefQ==
From: Jonas =?ISO-8859-1?Q?Sch=E4fer?= <j.wielicki@sotecware.net>
To: oss-sec <oss-security@lists.openwall.com>
Date: Thu, 25 Apr 2024 18:10:54 +0200
Message-ID: <5222127.EKZ5pzy0G1@sinistra.local>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart9237794.vijd6lq7cA";
 micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Clacks-Overhead: GNU Terry Pratchett
Subject: [oss-security] libksieve (used by kmail/kontact) sent password as username

--nextPart9237794.vijd6lq7cA
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Jonas =?ISO-8859-1?Q?Sch=E4fer?= <j.wielicki@sotecware.net>
To: oss-sec <oss-security@lists.openwall.com>
Subject: libksieve (used by kmail/kontact) sent password as username
Date: Thu, 25 Apr 2024 18:10:54 +0200
Message-ID: <5222127.EKZ5pzy0G1@sinistra.local>
Mime-Version: 1.0

Hello list,

Managesieve is a protocol to configure the email filtering system Sieve via 
TCP/IP. It is typically authenticated just like IMAP is. The managesieve 
client implementation in KDE (libksieve) had a bug which used the password as 
username.

That exposed the password in plaintext server logs, as usernames are commonly 
logged on failed login attempts.

This bug has existed for several years and made it into multiple Debian 
releases. It has only recently been fixed upstream [1] and even more recently 
been fixed in Debian [2] (stable package updates still pending). As this bug 
has been documented in the internet at various places [3] [4] but I haven't 
seen any mention of it here yet, I thought sharing it here made sense.

As far as I know, no CVE has been allocated for this.

kind regards,
Jonas

   [1]: https://invent.kde.org/pim/libksieve/-/commit/
6b460ba93ac4ac503ba039d0b788ac7595120db1
   [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069163
   [3]: https://bugs.kde.org/show_bug.cgi?id=437858
   [4]: https://www.reddit.com/r/kde/comments/151xq9r/comment/jsavmds/
--nextPart9237794.vijd6lq7cA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEG/EPV+Xzd5wEoQQIwGIDJZdiWIoFAmYqgI4ACgkQwGIDJZdi
WIr9NQ/+LUUgFk9TKTKv3du2PxDkFqCJSIDGYJWdMMl7X6GpwJ+XwtEsT1tBPvzs
pSI1Kj+Z7J4QZ1UITu2wcuKjkODSATMSsHl+GbaFQ/PgXWHFQYLkNWncW5/9/un8
5I1XlWSoExjIBQf1Ocs/CM0dt5v/HBN3gl+LO96uX1THsRkwfsM1gbalvbKRBdaX
uw99qWZEIdbldlqZSBjZzPkGmglSMMJf4JKMyVXRStPEohpo+EFRWjp0NHTHfndt
e4IHaQac9N7TAULjfNs8JNwq5fOBM7CkdY1n+aKJ88kyX4zbN2ssRP8EBCcoOoMS
RI+eth50rVkj/NhXrgeLCdSdZjSEd7uqrKxvTvts51x0hfII/nAJ7DiBm+O+Kx80
YIEnNsqvYj1OCif+EcA+Q2FTW6iRZ46w9frGlmrJksPDcHkXMz+bsN+2cwBGiN/P
KJ/Syl80oWUxbl2YB3qYt6SvW6tiQxe/HiyjAtLineJSG3HJ6mEj2EItnlud2TnS
puJUod2hcUrsx7j4Lt+XiOLN6tnbjaSAwXtqfn2vp6pBLK2Sz6Gnk1ew22qKutAa
CCBosMWiOFt6YTy7ENXcydQXz83Z8sddh9XDf7b+SqnmAFkOrFlk7CPk1INTAuYG
8ZR6aL7AjAXFwOeHISGiAExndKaq2Ttw7Yy4TScG7xlHjLNMnEE=
=2FoC
-----END PGP SIGNATURE-----

--nextPart9237794.vijd6lq7cA--