Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1853109lqa; Tue, 30 Apr 2024 00:41:59 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUAB8zxP/CJp+6HYVzxEeYqwdxaVVTVCVrGnURTw21pvRoWdFUX319DjWstwnvRMn85OTp5KJ6D0cPKTHTMySmiU2eBYf1IcZBRoZ+jxQ== X-Google-Smtp-Source: AGHT+IFHNsfR6D/w/UU5RsxQAt0kYXAWbM5xXMmQnRYnH4Fcvc2GlrmyeFdORWYMtBzRkPK2CNXI X-Received: by 2002:a17:906:1c85:b0:a58:e3bd:f430 with SMTP id g5-20020a1709061c8500b00a58e3bdf430mr1368708ejh.15.1714462919393; Tue, 30 Apr 2024 00:41:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714462919; cv=none; d=google.com; s=arc-20160816; b=nr0zZ/90In2+LXGdQcwRKYXUITsLfrfPSmETR4zJwbZ9RpCpJlP/709S1a3VFselZd FCZmFett3lOap1PChVz6FSRNCkpTlPdfW1MRBuzWEx3IWTm1HPXxnd5hCYnNP7MJNDv8 O7SJu989UrpUXrzgbOAA6hyjYetRS/GwymE7KTJCgap8AMnZpIaePkQ1LCINabvcb3Bv O8XAb6ANH5VHAfa3NLwSJXWxn9r5z6nYv6FU8p/ksH2YxhXOUH1RNt1r/pQxAVk0WAjX tCEsDV3WboafoQ/ktxkU+oo6LEKPufRyihKjfddii+YBJVVGDu9Urwd5W4WKqkfSCuPJ FBqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:to:from:date:sender :dkim-signature:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=AsqymBIF/gpM/Q2HEyqUQ65U1E9h9X8Dvts4gLh9KIc=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=GZ3PPvLnh2QiLqKc6r/kQZoVgF6UcVBN7s4xcUqURDhPrC9SYV3lLWdRzguQ/YMBJy +bYn+uLc0DJ1Rh7LOnYRmYzjQjX2agCe2oncEbi6fd3XYL4r7+FA/0LaVbI7YUbWBLsj Db2KuGAe1iRWOO7cOokrUIBjOvMERUFPTF6wDi0tpB8XXaSd5R8bwlVVfcyTs60LUm7R /3vk6tRtAJtCddMWMI+djv3DSpT/WI+2g1ozxRqpkyOlSf5kiD9qSxintaFJoh1KTGZe XXOdA/clPReMrhNNwYs5Zaxu+SVRqdR4vrvLAbEi1OTrtcp5j1L112Pd1LOh6L2PAvlL yPJQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=Z8XaQbML; spf=pass (google.com: domain of oss-security-return-30099-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30099-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id jz23-20020a170906bb1700b00a58ef6b3b88si3266042ejb.390.2024.04.30.00.41.59 for ; Tue, 30 Apr 2024 00:41:59 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30099-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=Z8XaQbML; spf=pass (google.com: domain of oss-security-return-30099-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30099-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 12272 invoked by uid 550); 30 Apr 2024 07:41:43 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 12253 invoked from network); 30 Apr 2024 07:41:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714462893; x=1715067693; darn=lists.openwall.com; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=AsqymBIF/gpM/Q2HEyqUQ65U1E9h9X8Dvts4gLh9KIc=; b=Z8XaQbML9qFnLsEcY7HaSyFyprjcweCdtA3No/RGXw3yFITscgsIcbg1gGRG/sq+cu x+h8jbEG7Bw8fGT+bUmlifS5BHnsnHVJ41VNHC1HGxrcOjSPMdlI2+XUacp8BHaexvTp KjctYwq9lIEcKzgQVoiD7aQVW5WaCUbfK0aJBpGk85gqYYbRVna6QVKBTSwpjNOx0mQj JxTC1zDb+XNDsKhcySqKq9NKN1mgnR9xZRZnl+qsfr/EQx8PLY2KcbLDfMpVjlh0+Ut2 R2myMUSUjk0fHXDuAFhz4OZg6w/2Qy1Q0zKxQt2TrUM9f0kX7Yq5EvU4j7R0O0NOn8+m nQ5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714462893; x=1715067693; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AsqymBIF/gpM/Q2HEyqUQ65U1E9h9X8Dvts4gLh9KIc=; b=am28OAeaHXvUhHHn0L+JnjhyPvgVABWkvcK+6YIbjDYPkv5JtV+v+VQsM7jchbzE7C H1HylDf3Xaa8Ov1yddT0m7PIjASoKI7IWx6WrkAZg5Uv9le+K1hZRqr7KoSrVDV2W+y5 kywn/8tRjj+8v93Z4IvvfVkATHYTsyT+AO74v9XuBiGxTS4UyznSX6zhcJBdhUdjpcVo m2hvyQ99HeVfrgDrIA/+/Cu+639+NUthCOQzSAby8PuEM+rYeoeyytyd4LoS5S3jqrmj KVrv5bKmrXxn1oYBhpj7ScNNakJw/HwJg6MVJt436I6ubR2PwS+LvVmpp9WWkTD/++Wo 7ScA== X-Gm-Message-State: AOJu0Yxzyq5dNXuB5pDrA2J/QrexoHXkXJg+iR2mQ4PstcOSsVKFJCVz W2VuI++2JHLgtQral4JYjwuuVCBfD3UZF9Ny4gkjMKdNVJoro2ezTSHi/axw X-Received: by 2002:a17:906:48d4:b0:a55:5620:675c with SMTP id d20-20020a17090648d400b00a555620675cmr1085613ejt.34.1714462893128; Tue, 30 Apr 2024 00:41:33 -0700 (PDT) Sender: Salvatore Bonaccorso Date: Tue, 30 Apr 2024 09:41:31 +0200 From: Salvatore Bonaccorso To: oss-security@lists.openwall.com Message-ID: References: <5222127.EKZ5pzy0G1@sinistra.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5222127.EKZ5pzy0G1@sinistra.local> Subject: Re: [oss-security] libksieve (used by kmail/kontact) sent password as username On Thu, Apr 25, 2024 at 06:10:54PM +0200, Jonas Sch?fer wrote: > Hello list, > > Managesieve is a protocol to configure the email filtering system Sieve via > TCP/IP. It is typically authenticated just like IMAP is. The managesieve > client implementation in KDE (libksieve) had a bug which used the password as > username. > > That exposed the password in plaintext server logs, as usernames are commonly > logged on failed login attempts. > > This bug has existed for several years and made it into multiple Debian > releases. It has only recently been fixed upstream [1] and even more recently > been fixed in Debian [2] (stable package updates still pending). As this bug > has been documented in the internet at various places [3] [4] but I haven't > seen any mention of it here yet, I thought sharing it here made sense. > > As far as I know, no CVE has been allocated for this. FTR, https://www.cve.org/CVERecord?id=CVE-2023-52723 was assigned for this issue. Regards, Salvatore