A security flaw was found in the way vCalendar plug-in of Claws Mail displayed user credential information in the system tray display when using https scheme. A local attacker could use this flaw to obtain user credentials (username and password) used for connection to remote point. References: [1] http://www.openwall.com/lists/oss-security/2012/11/15/5 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693391 Upstream bug report: [3] http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 Relevant upstream patch: [4] http://lists.claws-mail.org/pipermail/commits/2012-November/001598.html
This issue affects the versions of the claws-mail-plugins package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the claws-mail-plugins package, as shipped with Fedora EPEL 6. Please schedule an update.
Created claws-mail-plugins tracking bugs for this issue Affects: fedora-all [bug 877375] Affects: epel-6 [bug 877376]
CVE-2012-5527 was assigned to this issue: http://www.openwall.com/lists/oss-security/2012/11/28/8