Bug 757666

Summary: swaks: Passwords displayed in unfiltered / plaintext form when -a (authenticate) CLI option used
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: j, mmckinst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-28 11:19:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 757672, 757673    
Bug Blocks:    

Description Jan Lieskovsky 2011-11-28 10:40:34 UTC 
An information disclosure flaw was found in the way swaks, a command-line Swiss Army Knife SMTP transaction tester, performed management of passwords, provided on the command-line, when the -a (authenticate) option was used (the password has been displayed back in plaintext form to the relevant output file handle without being filtered first). A local attacker could use this flaw to potentially obtain plaintext form of passwords, the particular swaks SMTP user in question (victim) was using for different (swaks supported) authentication types.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650024
Comment 1 Jan Lieskovsky 2011-11-28 10:59:18 UTC 
This issue affects the versions of the swaks package, as shipped with Fedora EPEL 4, 5, and 6 releases. Please schedule an update once appropriate upstream patch / release available.

--

This issue affects the versions of the swaks package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update once appropriate upstream patch / release available.
Comment 2 Jan Lieskovsky 2011-11-28 11:01:27 UTC 
Created swaks tracking bugs for this issue

Affects: fedora-all [bug 757672]
Affects: epel-all [bug 757673]
Comment 3 Jan Lieskovsky 2011-11-28 11:19:23 UTC 
Red Hat Security Response Team does not consider this deficiency to be a security flaw.
Comment 4 Jason Tibbitts 2011-11-28 17:50:29 UTC 
Any chance someone could explain to me just what went on here?  Why would the security team open bugs only to close them afterwards?

It's never been any secret that swaks echoed back password input so I'm kind of puzzled as to why this is coming up now.