Leo Famulari writes: > From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Thu, 2 Mar 2017 17:35:43 -0500 > Subject: [PATCH] gnu: kio: Fix CVE-2017-6410. > > * gnu/packages/patches/kio-CVE-2017-6410.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/kde-frameworks.scm (kio)[source]: Use it. LGTM. It would be nice to refresh the KDE packages in the near future. > --- > gnu/local.mk | 1 + > gnu/packages/kde-frameworks.scm | 1 + > gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++++++++ > 3 files changed, 55 insertions(+) > create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 406e0dc96..297b40182 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -649,6 +649,7 @@ dist_patch_DATA = \ > %D%/packages/patches/jq-CVE-2015-8863.patch \ > %D%/packages/patches/kdbusaddons-kinit-file-name.patch \ > %D%/packages/patches/khmer-use-libraries.patch \ > + %D%/packages/patches/kio-CVE-2017-6410.patch \ > %D%/packages/patches/kmod-module-directory.patch \ > %D%/packages/patches/kobodeluxe-paths.patch \ > %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \ > diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm > index 36c285156..ba4ead2d6 100644 > --- a/gnu/packages/kde-frameworks.scm > +++ b/gnu/packages/kde-frameworks.scm > @@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces memory consumption.") > "mirror://kde/stable/frameworks/" > (version-major+minor version) "/" > name "-" version ".tar.xz")) > + (patches (search-patches "kio-CVE-2017-6410.patch")) > (sha256 > (base32 > "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia")))) > diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch > new file mode 100644 > index 000000000..748636f80 > --- /dev/null > +++ b/gnu/packages/patches/kio-CVE-2017-6410.patch > @@ -0,0 +1,53 @@ > +Fix CVE-2017-6410, "Information Leak when accessing https when using a > +malicious PAC file": > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410 > +https://www.kde.org/info/security/advisory-20170228-1.txt > + > +Patch copied from upstream source repository: > + > +https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 > + > +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 > +From: Albert Astals Cid > +Date: Tue, 28 Feb 2017 19:00:48 +0100 > +Subject: Sanitize URLs before passing them to FindProxyForURL > + > +Remove user/password information > +For https: remove path and query > + > +Thanks to safebreach.com for reporting the problem > + > +CCMAIL: yoni.fridburg@safebreach.com > +CCMAIL: amit.klein@safebreach.com > +CCMAIL: itzik.kotler@safebreach.com > +--- > + src/kpac/script.cpp | 11 +++++++++-- > + 1 file changed, 9 insertions(+), 2 deletions(-) > + > +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp > +index a0235f7..2485c54 100644 > +--- a/src/kpac/script.cpp > ++++ b/src/kpac/script.cpp > +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) > + } > + } > + > ++ QUrl cleanUrl = url; > ++ cleanUrl.setUserInfo(QString()); > ++ if (cleanUrl.scheme() == QLatin1String("https")) { > ++ cleanUrl.setPath(QString()); > ++ cleanUrl.setQuery(QString()); > ++ } > ++ > + QScriptValueList args; > +- args << url.url(); > +- args << url.host(); > ++ args << cleanUrl.url(); > ++ args << cleanUrl.host(); > + > + QScriptValue result = func.call(QScriptValue(), args); > + if (result.isError()) { > +-- > +cgit v0.11.2 > + > -- > 2.12.0