Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2017-6410: kdelibs4: kio: Information Leak when accessing https when using a malicious PAC file|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Fabian Vogt <fabian>|
|Component:||Incidents||Assignee:||Antonio Larrosa <alarrosa>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||astieger, mikhail.kasimov, opensuse-kde-bugs, wbauer|
|Whiteboard:||CVSSv2:SUSE:CVE-2017-6410:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-6410:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2017-6410:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2017-6410:5.3:(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Fabian Vogt 2017-03-01 20:36:46 UTC
42.2 and 42.1 are affected From: https://www.kde.org/info/security/advisory-20170228-1.txt KDE Project Security Advisory ============================= Title: kio: Information Leak when accessing https when using a malicious PAC file Risk Rating: Medium CVE: TBC Versions: kio < 5.32, kdelibs < 4.14.30 Date: 28 February 2017 Overview ======== Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens). This attack can be carried out remotely (over the LAN) since proxy settings allow “Detect Proxy Configuration Automatically”. This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one. Solution ======== Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released) Or apply the following patches: kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Credits ======= Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg and Amit Klein.
Comment 2 Fabian Vogt 2017-03-01 21:33:51 UTC
(In reply to Wolfgang Bauer from comment #1) > Isn't this the same as bug#1027309 though? Indeed! I couldn't find it as I searched for kio. I'll just make the other one a duplicate of this as I already used this bug no# in all changes entries...
Comment 3 Fabian Vogt 2017-03-01 21:36:06 UTC
*** Bug 1027309 has been marked as a duplicate of this bug. ***
Comment 4 Bernhard Wiedemann 2017-03-01 23:01:04 UTC
This is an autogenerated message for OBS integration: This bug (1027520) was mentioned in https://build.opensuse.org/request/show/461717 Factory / kdelibs4 https://build.opensuse.org/request/show/461718 Factory / kio
Comment 5 Marcus Meissner 2017-03-02 06:51:14 UTC
it would have been better to use the secrity tracker bug. but well, i just made this one the tracker bug for this issue.
Comment 6 Marcus Meissner 2017-03-02 07:11:42 UTC
Fabian, if you are opening a security bug on your own, feel free to add VUL-0 in front of the summary, so our scripts will see it and we can process it.
Comment 7 Bernhard Wiedemann 2017-03-02 09:00:59 UTC
This is an autogenerated message for OBS integration: This bug (1027520) was mentioned in https://build.opensuse.org/request/show/461793 42.1 / kdelibs4+kio https://build.opensuse.org/request/show/461794 42.2 / kdelibs4+kio
Comment 8 Marcus Meissner 2017-03-02 10:32:57 UTC
CVE-2017-6410 was assigned
Comment 9 Andreas Stieger 2017-03-03 19:31:44 UTC
Can I point out that KDE packages are maintained in the package hub? I may be mistaken, but this is not the first security fix that was submitted for Leap but not the package hub. And this seems to happen in particular with projects that do not use mbranch but submit from "devel" projects. To check what is maintained, see: osc maintained kio osc maintained kdelibs4 Applies for all: https://build.opensuse.org/request/show/476826
Comment 10 Fabian Vogt 2017-03-03 19:39:34 UTC
(In reply to Andreas Stieger from comment #9) > Can I point out that KDE packages are maintained in the package hub? > I may be mistaken, but this is not the first security fix that was submitted > for Leap but not the package hub. And this seems to happen in particular > with projects that do not use mbranch but submit from "devel" projects. > > To check what is maintained, see: > osc maintained kio > osc maintained kdelibs4 > > Applies for all: > https://build.opensuse.org/request/show/476826 I always thought that openSUSE backports would inherit the fixes. Reassigning to antlarr.
Comment 11 Swamp Workflow Management 2017-03-13 14:24:56 UTC
openSUSE-SU-2017:0677-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1027520 CVE References: CVE-2017-6410 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): kdelibs4-4.14.18-6.2, kdelibs4-4.14.25-5.3, kdelibs4-apidocs-4.14.18-6.2, kdelibs4-apidocs-4.14.25-5.3, kio-5.20.0-6.2, kio-5.26.0-5.1
Comment 12 Swamp Workflow Management 2017-03-13 14:25:52 UTC
openSUSE-SU-2017:0680-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1027520 CVE References: CVE-2017-6410 Sources used: openSUSE Leap 42.2 (src): kdelibs4-4.14.25-5.2, kdelibs4-apidocs-4.14.25-5.2, kio-5.26.0-6.2 openSUSE Leap 42.1 (src): kdelibs4-4.14.18-15.2, kdelibs4-apidocs-4.14.18-15.2, kio-5.21.0-23.2
Comment 13 Antonio Larrosa 2017-06-07 11:47:25 UTC
The patch was submitted to Backports so I'm closing this.