Bug 1074683 - claws-mail: vcalendar plugin stores username/password on-disk in cleartext
Summary: claws-mail: vcalendar plugin stores username/password on-disk in cleartext
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1074685 1074686
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-10 20:25 UTC by Vincent Danen
Modified: 2019-09-29 13:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:16:41 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2014-03-10 20:25:23 UTC
It was reported [1] that the Claws vCalendar plugin stored usernames and passwords on-disk in cleartext format.

Typically ~/.claws-mail should be mode 0750 and owned by the user so there should be no casual "leaking" of credentials; likewise most home directories on Fedora should be mode 0700.  Yet Claws should ideally not be storing these credentials in cleartext.

[1] http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099

Comment 1 Vincent Danen 2014-03-10 20:30:39 UTC
Created claws-mail tracking bugs for this issue:

Affects: fedora-all [bug 1074685]
Affects: epel-all [bug 1074686]

Comment 2 Michael Schwendt 2014-03-12 09:30:22 UTC
Could this ticket be kept accurate about describing the real issue? I've been following the upstream ticket as a subscriber of a ML, and it has been said that the credentials only enter a non-encrypted cache file if specified inside an URI user:pass@server.

Comment 3 Tomas 'Sheldon' Radej 2014-03-12 10:21:48 UTC
Not only the cache file, but the URI (as you described) is stored in the folder list in .claws-mail folder in full and plain form. HTTP-authenticated access to calendar is currently not possible any other way.

Comment 4 Vincent Danen 2014-03-13 18:55:56 UTC
I don't believe the initial description was "inaccurate".  Perhaps it didn't provide all the details as in the upstream bug, but that's why the upstream bug was linked.


Note You need to log in before you can comment on or make changes to this bug.