Bug 1027309

Summary: VUL-0: kdelibs4: Information Leak when accessing https when using a malicious PAC file
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: E-mail List <kde-maintainers>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fabian, jsegitz, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-6410:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-02-28 19:08:00 UTC
Ref: https://www.kde.org/info/security/advisory-20170228-1.txt
===============================================================
KDE Project Security Advisory
=============================

Title:          kio: Information Leak when accessing https when using a malicious PAC file
Risk Rating:    Medium
CVE:            TBC
Versions:       kio < 5.32, kdelibs < 4.14.30
Date:           28 February 2017


Overview
========
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

Solution
========
Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

Or apply the following patches:
    kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

Credits
=======
Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
and Amit Klein.
===============================================================

https://software.opensuse.org/package/kio

TW: 5.30.0
42.2: 5.26.0
42.1: no info
Comment 1 Swamp Workflow Management 2017-02-28 23:01:31 UTC
bugbot adjusting priority
Comment 3 Fabian Vogt 2017-03-01 21:36:05 UTC
Marking as duplicate as I did not find this report at the time of making the .changes entries.

*** This bug has been marked as a duplicate of bug 1027520 ***