Debian Bug report logs -
#856889
kio: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 5 Mar 2017 20:51:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version kio/5.22.0-1
Fixed in version kio/5.28.0-2
Done: Maximiliano Curia <maxy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#856889; Package src:kio.
(Sun, 05 Mar 2017 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Sun, 05 Mar 2017 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kio
Version: 5.22.0-1
Severity: important
Tags: patch upstream security
Hi,
the following vulnerability was published for kio.
CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https URL (potentially
| including Basic Authentication credentials, a query string, or
| PATH_INFO), which allows remote attackers to obtain sensitive
| information via a crafted PAC file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
[1] https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
[2] https://www.kde.org/info/security/advisory-20170228-1.txt
Regards,
Salvatore
Reply sent
to Maximiliano Curia <maxy@debian.org>:
You have taken responsibility.
(Wed, 05 Apr 2017 08:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Apr 2017 08:51:09 GMT) (full text, mbox, link).
Message #10 received at 856889-close@bugs.debian.org (full text, mbox, reply):
Source: kio
Source-Version: 5.28.0-2
We believe that the bug you reported is fixed in the latest version of
kio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856889@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated kio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Apr 2017 10:10:59 +0200
Source: kio
Binary: libkf5kio-dev kio libkf5kiocore5 libkf5kiofilewidgets5 libkf5kiogui5 libkf5kiontlm5 libkf5kiowidgets5 kio-dev
Architecture: source
Version: 5.28.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
kio - Resource and network access abstraction
kio-dev - transitional dummy package
libkf5kio-dev - Resource and network access abstraction
libkf5kiocore5 - Resource and network access abstraction
libkf5kiofilewidgets5 - Resource and network access abstraction
libkf5kiogui5 - Resource and network access abstraction
libkf5kiontlm5 - Resource and network access abstraction
libkf5kiowidgets5 - Resource and network access abstraction
Closes: 856889
Changes:
kio (5.28.0-2) unstable; urgency=medium
.
* Add new upstream patches, to improve file dialog's list:
Never-stretch-the-last-date-column-in-the-file-dialog.patch,
Also-change-the-resize-mode-the-other-way.patch and
* Add new upstream patch:
Allow-uppercase-checksums-matching-in-Checksums-tab.patch
* Add new upstream patchs to fix the way the flags are being passed:
ForwardingSlaveBase-fix-passing-of-Overwrite-flag-to-kio_.patch,
ForwardingSlaveBase-fix-passing-of-Overwrite-flag-to-kio_.patch
* Add new upstream patch:
kssl-Ensure-user-certificate-directory-has-been-created-b.patch
* Add new upstream patch:
Fix-memleak-in-KDynamicJobTracker-KWidgetJobTracker-needs.patch
* Add new upstream patch:
Fix-parsing-of-directories-listing-on-a-specific-ftp-serv.patch
* Add new upstream patch for CVE-2017-6410:
Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch.
Thanks to Salvatore Bonaccorso for reporting (Closes: 856889)
* Add new upstream patch: keep-query-encoding-when-HTTP-Proxy-is-used.patch
* Add new upstream patch: kioexec-fix-support-for-suggestedfilename.patch
* Add new upstream patch, to fix the testsuite:
Fix-KDynamicJobTrackerTest-for-linkers-dropping-linked-li.patch
Checksums-Sha1:
dad37440cfd7e132277010105903c3d43e03d2f6 3427 kio_5.28.0-2.dsc
b97f77b7a9fca1281693d6485485c4b7502f52de 43652 kio_5.28.0-2.debian.tar.xz
a90be6f27ec9671ee4310ecd83e0ce994fdd2998 13458 kio_5.28.0-2_source.buildinfo
Checksums-Sha256:
246ca79a15f5132ba0416dbc35b72bdc3e7c08f67dbb5f77085198c5feea1d97 3427 kio_5.28.0-2.dsc
200e94cc7126e282d65ef81bf1fdf8ffbe4800e8168d0421f72a545e798ddd25 43652 kio_5.28.0-2.debian.tar.xz
fd4bcc88ac23005c37cc0d1fdfaeb5ae41f507784795575b1a870bb0be65b1ec 13458 kio_5.28.0-2_source.buildinfo
Files:
32ffad36554ef6742f5a562ff2b0885d 3427 libs optional kio_5.28.0-2.dsc
cc96732d3eefde5ed613daccef5f369c 43652 libs optional kio_5.28.0-2.debian.tar.xz
0bab5e9ebea61e4cec84528bce2e46f5 13458 libs optional kio_5.28.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAljkri0ACgkQxxl2mbKb
Iyrs6A/+MGJ4yeRVGRdA1/TAgoUE87sZbSdpcig1uBta4CtkNBIkXvpeFlBOmN99
PlzsOC22kfiSepKBDl/7xAUzrh8Ahzqn0t2mJqWPJ4eaTyoeIozHg8NcsIVGJzLC
o82/nNPzCsjhu+KcoDmgLEt/rsXbfFZJ66QDgtBQ/0JRSSYouTFJOYm/S0maz//A
xj4t68hiKcFS0eRQOFOtzW6tySHO5d9SbpXySbVTYJ0wEGHjOPnkTnX4Hlno5uWv
z9/hNYBM+D1zsXqCQtyMp0Hqxx0ktMHkiGHqzQbl3EOPbruP/gU1O3gyNOSdt+k1
iFvwgfGv55GhTBqnHLs24cO1AgVn6bBrEL3WNp9mmD2pYI9UUgRQu46ONBK99d/0
VRLsrr/RVlHYM00y4cFWcsKXH54gGisog1/ssupo8G4jhkss/KyToGufjrVO6NjT
npLaG9poukGPuaQyo7L4Vq+NMRqMOcIgJEVDJfZ/JuKYKpKZrSsnRK/Em+ARe/2J
ybP0q8AUIr6Dq01vikcb1ljAiBKVHt2c9i4jUJMmJmRtiaLo7azDpPj79ndg8ovg
/U6kU8aQZB8QUHH/EXoFtgjTIKoTd2dyc0G03as6vjG5KrZJeKiSCSpmLmCRfHW5
N8YUxnAEXl25oWbXiOxNCCCD9C5E7et10uIBnxkPnzo8aTnqWgc=
=r0cl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 May 2017 07:30:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:38:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon