Re: libksieve (used by kmail/kontact) sent password as username

[Salvatore Bonaccorso <carnil () debian org>]

On Thu, Apr 25, 2024 at 06:10:54PM +0200, Jonas Schäfer wrote:
> Hello list,
>
> Managesieve is a protocol to configure the email filtering system Sieve via 
> TCP/IP. It is typically authenticated just like IMAP is. The managesieve 
> client implementation in KDE (libksieve) had a bug which used the password as 
> username.
>
> That exposed the password in plaintext server logs, as usernames are commonly 
> logged on failed login attempts.
>
> This bug has existed for several years and made it into multiple Debian 
> releases. It has only recently been fixed upstream [1] and even more recently 
> been fixed in Debian [2] (stable package updates still pending). As this bug 
> has been documented in the internet at various places [3] [4] but I haven't 
> seen any mention of it here yet, I thought sharing it here made sense.
>
> As far as I know, no CVE has been allocated for this.

FTR, https://www.cve.org/CVERecord?id=CVE-2023-52723 was assigned for
this issue.

Regards,
Salvatore