GNU bug report logs -
#25940
[PATCH] gnu: kio: Fix CVE-2017-6410.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 2 Mar 2017 22:45:01 UTC
Severity: normal
Tags: patch
Done: Efraim Flashner <efraim <at> flashner.co.il>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25940 in the body.
You can then email your comments to 25940 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#25940; Package
guix-patches.
(Thu, 02 Mar 2017 22:45:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 02 Mar 2017 22:45:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
[0001-gnu-kio-Fix-CVE-2017-6410.patch (text/plain, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25940; Package
guix-patches.
(Thu, 02 Mar 2017 23:23:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 25940 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Thu, 2 Mar 2017 17:35:43 -0500
> Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
>
> * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
LGTM. It would be nice to refresh the KDE packages in the near future.
> ---
> gnu/local.mk | 1 +
> gnu/packages/kde-frameworks.scm | 1 +
> gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++++++++
> 3 files changed, 55 insertions(+)
> create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 406e0dc96..297b40182 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -649,6 +649,7 @@ dist_patch_DATA = \
> %D%/packages/patches/jq-CVE-2015-8863.patch \
> %D%/packages/patches/kdbusaddons-kinit-file-name.patch \
> %D%/packages/patches/khmer-use-libraries.patch \
> + %D%/packages/patches/kio-CVE-2017-6410.patch \
> %D%/packages/patches/kmod-module-directory.patch \
> %D%/packages/patches/kobodeluxe-paths.patch \
> %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \
> diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
> index 36c285156..ba4ead2d6 100644
> --- a/gnu/packages/kde-frameworks.scm
> +++ b/gnu/packages/kde-frameworks.scm
> @@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces memory consumption.")
> "mirror://kde/stable/frameworks/"
> (version-major+minor version) "/"
> name "-" version ".tar.xz"))
> + (patches (search-patches "kio-CVE-2017-6410.patch"))
> (sha256
> (base32
> "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))
> diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
> new file mode 100644
> index 000000000..748636f80
> --- /dev/null
> +++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
> @@ -0,0 +1,53 @@
> +Fix CVE-2017-6410, "Information Leak when accessing https when using a
> +malicious PAC file":
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
> +https://www.kde.org/info/security/advisory-20170228-1.txt
> +
> +Patch copied from upstream source repository:
> +
> +https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
> +
> +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid <at> kde.org>
> +Date: Tue, 28 Feb 2017 19:00:48 +0100
> +Subject: Sanitize URLs before passing them to FindProxyForURL
> +
> +Remove user/password information
> +For https: remove path and query
> +
> +Thanks to safebreach.com for reporting the problem
> +
> +CCMAIL: yoni.fridburg <at> safebreach.com
> +CCMAIL: amit.klein <at> safebreach.com
> +CCMAIL: itzik.kotler <at> safebreach.com
> +---
> + src/kpac/script.cpp | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
> +index a0235f7..2485c54 100644
> +--- a/src/kpac/script.cpp
> ++++ b/src/kpac/script.cpp
> +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
> + }
> + }
> +
> ++ QUrl cleanUrl = url;
> ++ cleanUrl.setUserInfo(QString());
> ++ if (cleanUrl.scheme() == QLatin1String("https")) {
> ++ cleanUrl.setPath(QString());
> ++ cleanUrl.setQuery(QString());
> ++ }
> ++
> + QScriptValueList args;
> +- args << url.url();
> +- args << url.host();
> ++ args << cleanUrl.url();
> ++ args << cleanUrl.host();
> +
> + QScriptValue result = func.call(QScriptValue(), args);
> + if (result.isError()) {
> +--
> +cgit v0.11.2
> +
> --
> 2.12.0
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25940; Package
guix-patches.
(Thu, 02 Mar 2017 23:44:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 25940 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Mar 03, 2017 at 12:22:13AM +0100, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> > From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo <at> famulari.name>
> > Date: Thu, 2 Mar 2017 17:35:43 -0500
> > Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
> >
> > * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
>
> LGTM. It would be nice to refresh the KDE packages in the near future.
Yeah, hopefully someone will decide to watch over the KDE packages.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Efraim Flashner <efraim <at> flashner.co.il>:
You have taken responsibility.
(Sun, 19 Mar 2017 20:25:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 19 Mar 2017 20:25:03 GMT)
Full text and
rfc822 format available.
Message #16 received at 25940-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Looks like this one was merged already
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 17 Apr 2017 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 70 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.