Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 10:10:53 -0700
From: Kurt Seifried <>
CC: Vincent Danen <>, Ricardo Mones <>
Subject: Re: CVE request -- vCalendar plugin for Claws Mail:
 credentials exposed on interface

Hash: SHA1

Ah I didn't reply to oss-sec somehow the first time around.

On 11/15/2012 05:36 AM, Ricardo Mones wrote:
> Hi,
> This has been reported on our bugzilla: 
There's still not fix available. Could a CVE id be allocated for
> this if appropriate?
> thanks in advance,
> P.S.: I'm not subscribed to the list.

Ok so based on the bug entry:

In some instances, it might be the case that the only possible way to
access a calendaring service is through https, and in such cases, the
only way to authenticate (at least within the confines of vCalendar)
is by embedding the username:password into the ics URL and/or have a
'private' url that shouldn't be shared.

In either case, after configuring a calendar and trying to access it,
the full url is displayed in the status tray when trying to poll the
calendar, something like:


Thus, use of the vCalendar plugin really isn't suitable or secure for
such configurations!  In the scenarios above, the former is more of a
concern but neither is one you'd necessarily want to expose to prying
eyes.  Even a google calendar "private url", for example, is visible
it its entirety within the status tray.

Basically for all password entry fields we usually **** them out by
default. As well AFAIK pretty much all applications that store
passwords in plain text don't display them by default when you open up
the password management screen (e.g. web browsers like Firefox). So in
general we have a well established trend of hiding plain text
passwords and not displaying them unless the users takes a specific
action to display them (e.g. "show hidden password").

Please use CVE-2012-5527 for this issue.

- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993
A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.