Bugzilla – Bug 1027520
VUL-0: CVE-2017-6410: kdelibs4: kio: Information Leak when accessing https when using a malicious PAC file
Last modified: 2020-04-01 16:51:30 UTC
42.2 and 42.1 are affected From: https://www.kde.org/info/security/advisory-20170228-1.txt KDE Project Security Advisory ============================= Title: kio: Information Leak when accessing https when using a malicious PAC file Risk Rating: Medium CVE: TBC Versions: kio < 5.32, kdelibs < 4.14.30 Date: 28 February 2017 Overview ======== Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens). This attack can be carried out remotely (over the LAN) since proxy settings allow “Detect Proxy Configuration Automatically”. This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one. Solution ======== Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released) Or apply the following patches: kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Credits ======= Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg and Amit Klein.
Isn't this the same as bug#1027309 though?
(In reply to Wolfgang Bauer from comment #1) > Isn't this the same as bug#1027309 though? Indeed! I couldn't find it as I searched for kio. I'll just make the other one a duplicate of this as I already used this bug no# in all changes entries...
*** Bug 1027309 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (1027520) was mentioned in https://build.opensuse.org/request/show/461717 Factory / kdelibs4 https://build.opensuse.org/request/show/461718 Factory / kio
it would have been better to use the secrity tracker bug. but well, i just made this one the tracker bug for this issue.
Fabian, if you are opening a security bug on your own, feel free to add VUL-0 in front of the summary, so our scripts will see it and we can process it.
This is an autogenerated message for OBS integration: This bug (1027520) was mentioned in https://build.opensuse.org/request/show/461793 42.1 / kdelibs4+kio https://build.opensuse.org/request/show/461794 42.2 / kdelibs4+kio
CVE-2017-6410 was assigned
Can I point out that KDE packages are maintained in the package hub? I may be mistaken, but this is not the first security fix that was submitted for Leap but not the package hub. And this seems to happen in particular with projects that do not use mbranch but submit from "devel" projects. To check what is maintained, see: osc maintained kio osc maintained kdelibs4 Applies for all: https://build.opensuse.org/request/show/476826
(In reply to Andreas Stieger from comment #9) > Can I point out that KDE packages are maintained in the package hub? > I may be mistaken, but this is not the first security fix that was submitted > for Leap but not the package hub. And this seems to happen in particular > with projects that do not use mbranch but submit from "devel" projects. > > To check what is maintained, see: > osc maintained kio > osc maintained kdelibs4 > > Applies for all: > https://build.opensuse.org/request/show/476826 I always thought that openSUSE backports would inherit the fixes. Reassigning to antlarr.
openSUSE-SU-2017:0677-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1027520 CVE References: CVE-2017-6410 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): kdelibs4-4.14.18-6.2, kdelibs4-4.14.25-5.3, kdelibs4-apidocs-4.14.18-6.2, kdelibs4-apidocs-4.14.25-5.3, kio-5.20.0-6.2, kio-5.26.0-5.1
openSUSE-SU-2017:0680-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1027520 CVE References: CVE-2017-6410 Sources used: openSUSE Leap 42.2 (src): kdelibs4-4.14.25-5.2, kdelibs4-apidocs-4.14.25-5.2, kio-5.26.0-6.2 openSUSE Leap 42.1 (src): kdelibs4-4.14.18-15.2, kdelibs4-apidocs-4.14.18-15.2, kio-5.21.0-23.2
The patch was submitted to Backports so I'm closing this.