Debian Bug report logs - #693391
claws-mail-vcalendar-plugin: credentials exposed on interface

version graph

Package: claws-mail-vcalendar-plugin; Maintainer for claws-mail-vcalendar-plugin is Ricardo Mones <mones@debian.org>; Source for claws-mail-vcalendar-plugin is src:claws-mail.

Reported by: Henri Salo <henri@nerv.fi>

Date: Fri, 16 Nov 2012 00:39:02 UTC

Severity: normal

Tags: security

Fixed in version claws-mail-extra-plugins/3.8.1-2

Done: Ricardo Mones <mones@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#693391; Package claws-mail-vcalendar-plugin. (Fri, 16 Nov 2012 00:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Ricardo Mones <mones@debian.org>. (Fri, 16 Nov 2012 00:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Cc: Ricardo Mones <mones@debian.org>
Subject: claws-mail-vcalendar-plugin: credentials exposed on interface
Date: Fri, 16 Nov 2012 02:37:37 +0200
Subject: claws-mail-vcalendar-plugin: credentials exposed on interface
Package: claws-mail-vcalendar-plugin
Severity: normal
Tags: security

Reported originally in here: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 by cswiii@gmail.com:

"""
In some instances, it might be the case that the only possible way to access a
calendaring service is through https, and in such cases, the only way to
authenticate (at least within the confines of vCalendar) is by embedding the
username:password into the ics URL and/or have a 'private' url that shouldn't
be shared.

In either case, after configuring a calendar and trying to access it, the full
url is displayed in the status tray when trying to poll the calendar, something
like:

Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...

Thus, use of the vCalendar plugin really isn't suitable or secure for such
configurations!  In the scenarios above, the former is more of a concern but
neither is one you'd necessarily want to expose to prying eyes.  Even a google
calendar "private url", for example, is visible it its entirety within the
status tray.
"""

No upstream fix for this yet. CVE-request by Ricardo Mones in here http://www.openwall.com/lists/oss-security/2012/11/15/5

Please contact me in case of any questions. Haven't verified this in Debian-package yet, but I can do that and even try to backport the patch when it comes out.

--
Henri Salo



Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#693391; Package claws-mail-vcalendar-plugin. (Fri, 16 Nov 2012 09:15:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. (Fri, 16 Nov 2012 09:15:10 GMT) Full text and rfc822 format available.

Message #10 received at 693391@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 693391@bugs.debian.org
Subject: Fixed in upstream
Date: Fri, 16 Nov 2012 11:10:46 +0200
This is now fixed in upstream. For more information: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782#c4

--
Henri Salo



Reply sent to Ricardo Mones <mones@debian.org>:
You have taken responsibility. (Sat, 17 Nov 2012 18:36:03 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sat, 17 Nov 2012 18:36:04 GMT) Full text and rfc822 format available.

Message #15 received at 693391-close@bugs.debian.org (full text, mbox):

From: Ricardo Mones <mones@debian.org>
To: 693391-close@bugs.debian.org
Subject: Bug#693391: fixed in claws-mail-extra-plugins 3.8.1-2
Date: Sat, 17 Nov 2012 18:32:49 +0000
Source: claws-mail-extra-plugins
Source-Version: 3.8.1-2

We believe that the bug you reported is fixed in the latest version of
claws-mail-extra-plugins, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693391@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated claws-mail-extra-plugins package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Nov 2012 18:22:23 +0100
Source: claws-mail-extra-plugins
Binary: claws-mail-extra-plugins claws-mail-extra-plugins-dbg claws-mail-vcalendar-plugin claws-mail-perl-filter claws-mail-feeds-reader claws-mail-mailmbox-plugin claws-mail-html2-viewer claws-mail-acpi-notifier claws-mail-attach-remover claws-mail-fetchinfo-plugin claws-mail-newmail-plugin claws-mail-multi-notifier claws-mail-attach-warner claws-mail-spam-report claws-mail-tnef-parser claws-mail-archiver-plugin claws-mail-bsfilter-plugin claws-mail-fancy-plugin claws-mail-python-plugin claws-mail-clamd-plugin claws-mail-address-keeper claws-mail-gdata-plugin
Architecture: source all amd64
Version: 3.8.1-2
Distribution: unstable
Urgency: medium
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Description: 
 claws-mail-acpi-notifier - Laptop's Mail LED control for Claws Mail
 claws-mail-address-keeper - Address keeper plugin for Claws Mail
 claws-mail-archiver-plugin - Archiver plugin for Claws Mail
 claws-mail-attach-remover - Mail attachment remover for Claws Mail
 claws-mail-attach-warner - Missing attachment warnings for Claws Mail
 claws-mail-bsfilter-plugin - Spam filtering using bsfilter for Claws Mail
 claws-mail-clamd-plugin - ClamAV socket-based plugin for Claws Mail
 claws-mail-extra-plugins - Extra plugins collection for Claws Mail
 claws-mail-extra-plugins-dbg - Debug symbols for Claws Mail Extra Plugins packages
 claws-mail-fancy-plugin - HTML mail viewer using GTK+ WebKit
 claws-mail-feeds-reader - Feeds (RSS/Atom) reader plugin for Claws Mail
 claws-mail-fetchinfo-plugin - Add X-FETCH headers plugin for Claws Mail
 claws-mail-gdata-plugin - Access to GData (Google services) for Claws Mail
 claws-mail-html2-viewer - HTML mail or attachment viewer for Claws Mail
 claws-mail-mailmbox-plugin - mbox format mailboxes handler for Claws Mail
 claws-mail-multi-notifier - Various new mail notifiers for Claws Mail
 claws-mail-newmail-plugin - New mail logger plugin for Claws Mail
 claws-mail-perl-filter - Message filtering plugin using perl for Claws Mail
 claws-mail-python-plugin - Python plugin and console for Claws Mail
 claws-mail-spam-report - Spam reporting plugin for Claws Mail
 claws-mail-tnef-parser - TNEF attachment handler for Claws Mail
 claws-mail-vcalendar-plugin - vCalendar message handling plugin for Claws Mail
Closes: 693391
Changes: 
 claws-mail-extra-plugins (3.8.1-2) unstable; urgency=medium
 .
   * debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch
   - Added patch to fix CVE-2012-5527: credentials exposed on
     interface (Closes: #693391)
   - Urgency set to medium because of security bug
Checksums-Sha1: 
 6ad137a74120603c58820adb7bb27f3943d607d4 3253 claws-mail-extra-plugins_3.8.1-2.dsc
 8f0fc0feeec74881b281d370a9f847a7c256468a 37989 claws-mail-extra-plugins_3.8.1-2.debian.tar.gz
 dfea96cb85db3e5a1c34686a9be7d4b8be0c50b0 13246 claws-mail-extra-plugins_3.8.1-2_all.deb
 eeaa428e59e95aeb5f39330a76fb9ca83f059b70 3092090 claws-mail-extra-plugins-dbg_3.8.1-2_amd64.deb
 05668110f7afc15343aebc262e2571b7babd2b78 316990 claws-mail-vcalendar-plugin_3.8.1-2_amd64.deb
 96e0c2c7a113e36b4b36acb7959237bbfaad276a 50506 claws-mail-perl-filter_3.8.1-2_amd64.deb
 87feae38f47f55220a879bc4d75309be3976455d 111336 claws-mail-feeds-reader_3.8.1-2_amd64.deb
 2047660bad77afd7c7e9df4343b144f4dbb5baf3 67652 claws-mail-mailmbox-plugin_3.8.1-2_amd64.deb
 647c21f8c9337f7d27fb13e7f11b9eb4279f19c3 216192 claws-mail-html2-viewer_3.8.1-2_amd64.deb
 6f771efe240941d9424e343be8b5dfbcd32457a5 35816 claws-mail-acpi-notifier_3.8.1-2_amd64.deb
 d6348cdc7b02781c23e24b3a7bde5acaba914671 20542 claws-mail-attach-remover_3.8.1-2_amd64.deb
 5d9150f1fb15fa1f97b416a7001a5ee7b0f1282a 19064 claws-mail-fetchinfo-plugin_3.8.1-2_amd64.deb
 9e5e77bc01048e04c7d73334e90e111da85f09e5 14284 claws-mail-newmail-plugin_3.8.1-2_amd64.deb
 fab653249da8baced2d98ca7b001cba380e4ccfe 131658 claws-mail-multi-notifier_3.8.1-2_amd64.deb
 98b3f488e17f16d8a6b24a1eda727e5a53014008 32588 claws-mail-attach-warner_3.8.1-2_amd64.deb
 3641322e01793a81f1369ca285e3c92941145d5a 27366 claws-mail-spam-report_3.8.1-2_amd64.deb
 4644c85be43f685b7ba1519d9f2e82ddbb8d9328 44812 claws-mail-tnef-parser_3.8.1-2_amd64.deb
 251507695e9ce5b737f2f21067e3898c448e8c7c 72604 claws-mail-archiver-plugin_3.8.1-2_amd64.deb
 85db999c63d0184db74bdbd71013af1616b6fa21 40214 claws-mail-bsfilter-plugin_3.8.1-2_amd64.deb
 beb5c75b49a4008736c7257a628ddba1ca2c255e 39698 claws-mail-fancy-plugin_3.8.1-2_amd64.deb
 8f6135f3b9366bef2d7a023f4df4b484843ab9a1 54268 claws-mail-python-plugin_3.8.1-2_amd64.deb
 d5c9dcc4c2498be197169f62c23d33ba4547be82 45506 claws-mail-clamd-plugin_3.8.1-2_amd64.deb
 8f17663def159c54562186d5821cd10b4bc0f1bd 23462 claws-mail-address-keeper_3.8.1-2_amd64.deb
 118f44eef796a1bbc4b7f4006085230a06281727 26930 claws-mail-gdata-plugin_3.8.1-2_amd64.deb
Checksums-Sha256: 
 01598475e075f597c7814d1283b0714d4b7fe83c5323c4084c63070cc7714ee6 3253 claws-mail-extra-plugins_3.8.1-2.dsc
 b6980997e33a61e4bf7518188fbcd46b69c8e401cb7ac74f4808b6634b2e0950 37989 claws-mail-extra-plugins_3.8.1-2.debian.tar.gz
 0aa1c66c8648c5f443762b8bc9c9ffb0809c874e419ff55c5361a90ccb935c07 13246 claws-mail-extra-plugins_3.8.1-2_all.deb
 a44b9883126ab45e78e58c14df493d983c7bd6f59b7d64d3b9da4e2e4878b1b8 3092090 claws-mail-extra-plugins-dbg_3.8.1-2_amd64.deb
 905a77aa4a9c66694c8be5e8e9e3321039755c54367ee65056005088b3a455e7 316990 claws-mail-vcalendar-plugin_3.8.1-2_amd64.deb
 00988c854b60b15822c08157542d8135b9545476b55ae6d2b4972fb3e3b2f527 50506 claws-mail-perl-filter_3.8.1-2_amd64.deb
 0b8566f00138ee27e5bb73731e893984f0b6a5b9a72c147cfe946d1f26897e5a 111336 claws-mail-feeds-reader_3.8.1-2_amd64.deb
 da280838361e1369dfac7fb7b0fa5ff3c2d84af25bfbbcab5675f0073ed6d0ac 67652 claws-mail-mailmbox-plugin_3.8.1-2_amd64.deb
 28c5cf74bc1cbfeca00ddacf76cdd45634a4be01ac6bc31b606f9c9a1ab21c7d 216192 claws-mail-html2-viewer_3.8.1-2_amd64.deb
 12bac10585219b8a0c5a28a5be4ab4abaa6faeb486b5d579224f95556198c263 35816 claws-mail-acpi-notifier_3.8.1-2_amd64.deb
 7f678720fd2a9d33cfa19f5c02e189c122ca676ef6cec40768addedaf8240cc2 20542 claws-mail-attach-remover_3.8.1-2_amd64.deb
 20c5e1fcb9ff99e95e1593fa0313eceab139a049ff7109c5bcd5bec02d3d46fd 19064 claws-mail-fetchinfo-plugin_3.8.1-2_amd64.deb
 b9ed2ae37d4ee1fe8e5de6ac8b4730167d88f2f9933eddbd6fab1e30beb7d87b 14284 claws-mail-newmail-plugin_3.8.1-2_amd64.deb
 3c7a10791f834bb026b1f9fd3c6cbb945fee03bbf7f0094f03c59a3427f2795e 131658 claws-mail-multi-notifier_3.8.1-2_amd64.deb
 6036a44aa32c3102a80f14de7f281e2b4fdf516f6739202a8e95bb27f1321ca7 32588 claws-mail-attach-warner_3.8.1-2_amd64.deb
 dd445f20e87b8f7abddc21469fdedacb8a239a8fac12c384f5c04291bda77dda 27366 claws-mail-spam-report_3.8.1-2_amd64.deb
 80ddf73fc684a6cef2003f402d7134230c43d5ee1ed77e52cfc0a38d5ec26d12 44812 claws-mail-tnef-parser_3.8.1-2_amd64.deb
 8a99624e8e0995ca6da6c531a9204272793f352ef2f0b171a8620f9aadf5c895 72604 claws-mail-archiver-plugin_3.8.1-2_amd64.deb
 b99c9cdbf519cb5539ca6d4139118f45f7a966142ea412f7e7ebc704891ed920 40214 claws-mail-bsfilter-plugin_3.8.1-2_amd64.deb
 64f72bdece21a31a182afef999b1132a52e5901808a99456f60534dcf3444ac6 39698 claws-mail-fancy-plugin_3.8.1-2_amd64.deb
 5bf15558297b3890a41f436895d749b2eed402979c0d2a6359452cf4701491f5 54268 claws-mail-python-plugin_3.8.1-2_amd64.deb
 8f1326944345d39cb99a00b2ae633e986f2854df391e38b1f628db9b3f5784eb 45506 claws-mail-clamd-plugin_3.8.1-2_amd64.deb
 268ace37202d8a3bcb9314269a341b6d06e71bff51e63e7fe870496463b72c7d 23462 claws-mail-address-keeper_3.8.1-2_amd64.deb
 871ba501c13fe38a3520e398ffcd3f0b79c729d3520775d5913e43835d41a00b 26930 claws-mail-gdata-plugin_3.8.1-2_amd64.deb
Files: 
 9b9a2ba82a6759c14deb38b86724b776 3253 mail optional claws-mail-extra-plugins_3.8.1-2.dsc
 c0361ba272d546ce6617b841891db932 37989 mail optional claws-mail-extra-plugins_3.8.1-2.debian.tar.gz
 2303c33d83db1023c15bfc713e017cf4 13246 metapackages optional claws-mail-extra-plugins_3.8.1-2_all.deb
 4fc09bd1c203f84ae0f02f7156a9538e 3092090 debug extra claws-mail-extra-plugins-dbg_3.8.1-2_amd64.deb
 027ff38f9918ca192fb13e08ba7cccc7 316990 mail optional claws-mail-vcalendar-plugin_3.8.1-2_amd64.deb
 a649a3fb7674e8601605f81260d14e96 50506 mail optional claws-mail-perl-filter_3.8.1-2_amd64.deb
 062fbb5b9a9a1383d94b9995f5d904cf 111336 mail optional claws-mail-feeds-reader_3.8.1-2_amd64.deb
 43b7ce34270942313edf1d2555aa2e57 67652 mail optional claws-mail-mailmbox-plugin_3.8.1-2_amd64.deb
 484ffcb8d5825fdaed46be02efdf73aa 216192 mail optional claws-mail-html2-viewer_3.8.1-2_amd64.deb
 dcb17c45db776aa797b909e612f32025 35816 mail optional claws-mail-acpi-notifier_3.8.1-2_amd64.deb
 44e860f89ba540081fd29e48bbff8409 20542 mail optional claws-mail-attach-remover_3.8.1-2_amd64.deb
 6ca59f62a0662809b7e575b2913f73f9 19064 mail optional claws-mail-fetchinfo-plugin_3.8.1-2_amd64.deb
 555840b901726abdd6d2df39359a84fc 14284 mail optional claws-mail-newmail-plugin_3.8.1-2_amd64.deb
 133f2d42e9b576cff451779dad997a08 131658 mail optional claws-mail-multi-notifier_3.8.1-2_amd64.deb
 28e7d52c0e4980dd0781fc017f3c93a9 32588 mail optional claws-mail-attach-warner_3.8.1-2_amd64.deb
 4f010453be00bedada4767103d76fb38 27366 mail optional claws-mail-spam-report_3.8.1-2_amd64.deb
 c983b6ac143d79e300f21e7753da8c60 44812 mail optional claws-mail-tnef-parser_3.8.1-2_amd64.deb
 503b46b426c1f286c4428e1083dd4293 72604 mail optional claws-mail-archiver-plugin_3.8.1-2_amd64.deb
 9d905837ce0a57c151acdf2965f7f72f 40214 mail optional claws-mail-bsfilter-plugin_3.8.1-2_amd64.deb
 662348817a7f20dce85d3ba2965e6f80 39698 mail optional claws-mail-fancy-plugin_3.8.1-2_amd64.deb
 39c3ae6400f4c6f66a4a7a5d09eee052 54268 mail optional claws-mail-python-plugin_3.8.1-2_amd64.deb
 1ad130ab7ff7b1ac8545ddbe7ae1230a 45506 mail optional claws-mail-clamd-plugin_3.8.1-2_amd64.deb
 c362939906c7f0fa398739614cfc11c4 23462 mail optional claws-mail-address-keeper_3.8.1-2_amd64.deb
 78b72a4b201da31161971c7c4f0a4d1f 26930 mail optional claws-mail-gdata-plugin_3.8.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlCn1I8ACgkQLARVQsm1XaxB0QCcC7IAqhxOrXkB68UGfs+WLYqv
mPoAoKYai2/yLhTSoHcaOfNfBhQVbtW+
=s5s4
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Dec 2012 07:28:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:58:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.