From unknown Wed Jun 25 03:57:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 02 Mar 2017 22:45:01 +0000
Resent-Message-ID: <handler.25940.B.148849469816407@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 25940
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 25940@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.148849469816407
          (code B ref -1); Thu, 02 Mar 2017 22:45:01 +0000
Received: (at submit) by debbugs.gnu.org; 2 Mar 2017 22:44:58 +0000
Received: from localhost ([127.0.0.1]:37069 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1cjZSu-0004GV-JQ
	for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:57 -0500
Received: from eggs.gnu.org ([208.118.235.92]:58348)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1cjZSr-0004GC-6g
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSk-0004ft-Gj
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:43 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:54134)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1cjZSk-0004fo-DV
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:42 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49315)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSi-0005MD-SU
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSe-0004ce-EF
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:40 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:43428)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1cjZSe-0004bM-8P
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:36 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 7D06320C25;
 Thu,  2 Mar 2017 17:44:33 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Thu, 02 Mar 2017 17:44:33 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=Apb
 q5KyEJ6Kh+URbA9AX42g+f5k=; b=n6dB/fMJ2VIiXnmE2vVI6ZnFkBvOcbzJQH9
 jxafasGT6k78ntpS9Ene2L6DztspROQSP79aNoGHegiIVo9iXTgHsXcNOZzi7GRs
 8L2pIdkQ/IV2St7yhc9cZKXQcMKh9In8EiCLhTUv5rrQlcz+FQGKzhrvCizLuYon
 yVxKB6IQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=smtpout; bh=Apbq5KyEJ6Kh+URbA9AX42g+f5k=; b=Prwwy
 pAnauXI7l/eP423W8sNZuV1gzYe/rfw+xfUUrfIdADM7mqVfPWiEADuZbwYjaT3w
 qC8hn7dECFQGYpFElwii/emn25tTf1/q2ZHEpbcQ1k9N0SdJB086f2uyAT2O59LN
 joklUbhcM1GomoMLpzY0/4xe+/fEPCr06eEUYw=
X-ME-Sender: <xms:UaC4WEt1Pvo5tEi5ehiSN1n9RbMBlMSDCCQ39Zh47r03cpzluwJyYw>
X-Sasl-enc: cv5ZHzSQtug16N2ZM6RAxqgmxYu0Xh4ifDQGIUx3PgzX 1488494673
Received: from localhost (unknown [172.56.28.9])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3794B24614
 for <guix-patches@gnu.org>; Thu,  2 Mar 2017 17:44:33 -0500 (EST)
Date: Thu, 2 Mar 2017 17:44:31 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170302224431.GA15483@jasmine>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
User-Agent: Mutt/1.8.0 (2017-02-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.9 (/)


--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline



--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-kio-Fix-CVE-2017-6410.patch"

>From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 2 Mar 2017 17:35:43 -0500
Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.

* gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
---
 gnu/local.mk                                 |  1 +
 gnu/packages/kde-frameworks.scm              |  1 +
 gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 406e0dc96..297b40182 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -649,6 +649,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
   %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
   %D%/packages/patches/khmer-use-libraries.patch                \
+  %D%/packages/patches/kio-CVE-2017-6410.patch			\
   %D%/packages/patches/kmod-module-directory.patch		\
   %D%/packages/patches/kobodeluxe-paths.patch			\
   %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch	\
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 36c285156..ba4ead2d6 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces memory consumption.")
                     "mirror://kde/stable/frameworks/"
                     (version-major+minor version) "/"
                     name "-" version ".tar.xz"))
+              (patches (search-patches "kio-CVE-2017-6410.patch"))
               (sha256
                (base32
                 "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))
diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
new file mode 100644
index 000000000..748636f80
--- /dev/null
+++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-6410, "Information Leak when accessing https when using a
+malicious PAC file":
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
+https://www.kde.org/info/security/advisory-20170228-1.txt
+
+Patch copied from upstream source repository:
+
+https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f7..2485c54 100644
+--- a/src/kpac/script.cpp
++++ b/src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+         }
+     }
+ 
++    QUrl cleanUrl = url;
++    cleanUrl.setUserInfo(QString());
++    if (cleanUrl.scheme() == QLatin1String("https")) {
++        cleanUrl.setPath(QString());
++        cleanUrl.setQuery(QString());
++    }
++
+     QScriptValueList args;
+-    args << url.url();
+-    args << url.host();
++    args << cleanUrl.url();
++    args << cleanUrl.host();
+ 
+     QScriptValue result = func.call(QScriptValue(), args);
+     if (result.isError()) {
+-- 
+cgit v0.11.2
+
-- 
2.12.0


--2fHTh5uZTiUOsy+g--




From unknown Wed Jun 25 03:57:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.
Resent-From: Marius Bakke <mbakke@fastmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 02 Mar 2017 23:23:01 +0000
Resent-Message-ID: <handler.25940.B25940.148849694619853@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 25940
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Leo Famulari <leo@famulari.name>, 25940@debbugs.gnu.org
Received: via spool by 25940-submit@debbugs.gnu.org id=B25940.148849694619853
          (code B ref 25940); Thu, 02 Mar 2017 23:23:01 +0000
Received: (at 25940) by debbugs.gnu.org; 2 Mar 2017 23:22:26 +0000
Received: from localhost ([127.0.0.1]:37094 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1cja3B-0005A5-Qw
	for submit@debbugs.gnu.org; Thu, 02 Mar 2017 18:22:25 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36375)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1cja37-00059s-7l
 for 25940@debbugs.gnu.org; Thu, 02 Mar 2017 18:22:20 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 8BC5120AC5;
 Thu,  2 Mar 2017 18:22:15 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute5.internal (MEProxy); Thu, 02 Mar 2017 18:22:15 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h=
 content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=jxBk+H6ijW/zwlf0zCMzN8aSWyc=; b=Hslw2s
 gsNtVztyeE5aculYxjAT6lNEbR+HxxOKdH7bEmi87bzNtfTZkRBLzJeW0xmw8jac
 wB7hsUACjssSR8wrZA6yaPrgQJtEgEDHaaM9XFWEoVtsWDd55SHIG0jf/VHYUsf9
 QkGxdKyO/whbfeiF1KyO2/6R2tbe1BWif+UOk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=jxBk+H6ijW/zwl
 f0zCMzN8aSWyc=; b=SvaRu46yDiVe0ujFhEjU9/RHZpNZjZjW8m4MRmWTW6y/fF
 uvc7BuUOwy+O9dkwIPsCloSd3153R7Vmx9wGloj/ghTtPnDZXImG3fMWMu9ROYrj
 QhyhKKu8XTjAqLSYMye1D4Uoy1Xuxlq4116f3fxO3+ktV1X8R+41Vqgr4sdsM=
X-ME-Sender: <xms:J6m4WGujORmMc7-oxhOISbwTQNfodo0AAYaFvbi8ZpEbbLCI2NzAcg>
X-Sasl-enc: NRL+3MTGUTYNLATgM555K/MsCaFxpvQ6OuW7n3isAsrt 1488496935
Received: from localhost (unknown [188.113.81.93])
 by mail.messagingengine.com (Postfix) with ESMTPA id 205DA24645;
 Thu,  2 Mar 2017 18:22:15 -0500 (EST)
From: Marius Bakke <mbakke@fastmail.com>
In-Reply-To: <20170302224431.GA15483@jasmine>
References: <20170302224431.GA15483@jasmine>
User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1
 (x86_64-unknown-linux-gnu)
Date: Fri, 03 Mar 2017 00:22:13 +0100
Message-ID: <87y3wn6z8a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Thu, 2 Mar 2017 17:35:43 -0500
> Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
>
> * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.

LGTM. It would be nice to refresh the KDE packages in the near future.

> ---
>  gnu/local.mk                                 |  1 +
>  gnu/packages/kde-frameworks.scm              |  1 +
>  gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++=
++++++
>  3 files changed, 55 insertions(+)
>  create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 406e0dc96..297b40182 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -649,6 +649,7 @@ dist_patch_DATA =3D						\
>    %D%/packages/patches/jq-CVE-2015-8863.patch			\
>    %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
>    %D%/packages/patches/khmer-use-libraries.patch                \
> +  %D%/packages/patches/kio-CVE-2017-6410.patch			\
>    %D%/packages/patches/kmod-module-directory.patch		\
>    %D%/packages/patches/kobodeluxe-paths.patch			\
>    %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch	\
> diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-framework=
s.scm
> index 36c285156..ba4ead2d6 100644
> --- a/gnu/packages/kde-frameworks.scm
> +++ b/gnu/packages/kde-frameworks.scm
> @@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces =
memory consumption.")
>                      "mirror://kde/stable/frameworks/"
>                      (version-major+minor version) "/"
>                      name "-" version ".tar.xz"))
> +              (patches (search-patches "kio-CVE-2017-6410.patch"))
>                (sha256
>                 (base32
>                  "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))=
))
> diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/=
patches/kio-CVE-2017-6410.patch
> new file mode 100644
> index 000000000..748636f80
> --- /dev/null
> +++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
> @@ -0,0 +1,53 @@
> +Fix CVE-2017-6410, "Information Leak when accessing https when using a
> +malicious PAC file":
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-6410
> +https://www.kde.org/info/security/advisory-20170228-1.txt
> +
> +Patch copied from upstream source repository:
> +
> +https://cgit.kde.org/kio.git/commit/?id=3Df9d0cb47cf94e209f6171ac0e8d774=
e68156a6e4
> +
> +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid@kde.org>
> +Date: Tue, 28 Feb 2017 19:00:48 +0100
> +Subject: Sanitize URLs before passing them to FindProxyForURL
> +
> +Remove user/password information
> +For https: remove path and query
> +
> +Thanks to safebreach.com for reporting the problem
> +
> +CCMAIL: yoni.fridburg@safebreach.com
> +CCMAIL: amit.klein@safebreach.com
> +CCMAIL: itzik.kotler@safebreach.com
> +---
> + src/kpac/script.cpp | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
> +index a0235f7..2485c54 100644
> +--- a/src/kpac/script.cpp
> ++++ b/src/kpac/script.cpp
> +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
> +         }
> +     }
> +=20
> ++    QUrl cleanUrl =3D url;
> ++    cleanUrl.setUserInfo(QString());
> ++    if (cleanUrl.scheme() =3D=3D QLatin1String("https")) {
> ++        cleanUrl.setPath(QString());
> ++        cleanUrl.setQuery(QString());
> ++    }
> ++
> +     QScriptValueList args;
> +-    args << url.url();
> +-    args << url.host();
> ++    args << cleanUrl.url();
> ++    args << cleanUrl.host();
> +=20
> +     QScriptValue result =3D func.call(QScriptValue(), args);
> +     if (result.isError()) {
> +--=20
> +cgit v0.11.2
> +
> --=20
> 2.12.0

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli4qSUACgkQoqBt8qM6
VPoqCQf/Zz6pVhwTcqrCURAG2+70sd1RyLce2+SfYiNPth1vPtgKmPnzDIuluvho
JEcpo3A5pDNwVmess+1sLduNbi2kUYmmYe3FYY8PsIACReOtcIn8mcLfilSpNyOP
lYjN8tVngqzIfTedPBvyCFK1vlyFFn3srL8VZf7+a9452DQf1oLhvBVPw96HvkX9
WkBc0qSqL/+bHyxBN5x5JfPEag4SZqlPpz17P8BsOebHgOiL5dsSTG8/g5LLs98W
aB2HSw2wQB2TnA4WJnAgoMUNb73k+h3MVrpg3waIJopPlVH5AMPxy0I785GOdbEU
KREXtks/uho7wabCLFtB5nhcF9KC7A==
=Ef0N
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Wed Jun 25 03:57:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 02 Mar 2017 23:44:02 +0000
Resent-Message-ID: <handler.25940.B25940.148849824121861@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 25940
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Marius Bakke <mbakke@fastmail.com>
Cc: 25940@debbugs.gnu.org
Received: via spool by 25940-submit@debbugs.gnu.org id=B25940.148849824121861
          (code B ref 25940); Thu, 02 Mar 2017 23:44:02 +0000
Received: (at 25940) by debbugs.gnu.org; 2 Mar 2017 23:44:01 +0000
Received: from localhost ([127.0.0.1]:37117 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1cjaO9-0005gM-0v
	for submit@debbugs.gnu.org; Thu, 02 Mar 2017 18:44:01 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34000)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1cjaO4-0005gB-Md
 for 25940@debbugs.gnu.org; Thu, 02 Mar 2017 18:43:59 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8ED9A20CF0;
 Thu,  2 Mar 2017 18:43:56 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Thu, 02 Mar 2017 18:43:56 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=bsFwXc8srhqwPnkkmJ9NB6wyYPM=; b=Mu3HLZ
 lFtM8ZFpZZZ/DlZVzxq9a1zshbzqTTcug6r42zHyCcssZdyXZzmcNj/WxbKdtEWV
 zgAF/d3+5YIREevVBlDHIE2VmcIE1IvfQGqqLDcrnajmy5p0X0bbiHWDy03N0Ho/
 UKm9dxRrozdvu0z6+nA0WBGZyn21cV5hMklC4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=bsFwXc8srhqwPn
 kkmJ9NB6wyYPM=; b=fZ4gR4ivsKPNKQxly3nKjEshS0vZeo23Gd7zV190JvQ1C+
 NWTeIbSJWAxNLabl3eILG90QrRNIAX34uYjYbNQLseQoay1CbTTduyhanUaR4+nw
 UX/PN6D+nQd0kNN6SdvI08+UqLxqBulN6/xSUj0LRGlNnlLPUUJN3jUQIsfjc=
X-ME-Sender: <xms:PK64WOA4na4m_W80pL4efrsi7F1NqtrCnPXdK74BlXE0PjhsuUdIiQ>
X-Sasl-enc: y0EfGzMVZPSKZ0eEQY5TpJdb6e9YxvFnkMc20g3gBqmU 1488498236
Received: from localhost (c-68-84-77-42.hsd1.pa.comcast.net [68.84.77.42])
 by mail.messagingengine.com (Postfix) with ESMTPA id 4C42D24216;
 Thu,  2 Mar 2017 18:43:56 -0500 (EST)
Date: Thu, 2 Mar 2017 18:43:54 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170302234354.GC18943@jasmine>
References: <20170302224431.GA15483@jasmine>
 <87y3wn6z8a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="Izn7cH1Com+I3R9J"
Content-Disposition: inline
In-Reply-To: <87y3wn6z8a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--Izn7cH1Com+I3R9J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 03, 2017 at 12:22:13AM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
>=20
> > From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo@famulari.name>
> > Date: Thu, 2 Mar 2017 17:35:43 -0500
> > Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
> >
> > * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
>=20
> LGTM. It would be nice to refresh the KDE packages in the near future.

Yeah, hopefully someone will decide to watch over the KDE packages.

--Izn7cH1Com+I3R9J
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli4rjoACgkQJkb6MLrK
fwgeZxAAu09K60uDooOVIP7xguqxIDMLH5S+M9PcQnL/GdXtzRUQmjWPhAPAdsug
e1sPYOVKBmEXe4ZjB4LhxL7VNlm48JSOW0RWLKimj0cVsa9AvPdQV7KImldepoul
EALjQqVDq0FKCrp2IjprILkSoRaXtOAOASnZOF6kEBhEQF7gHjXCSsJ1NRfOmhrn
kLE/4R7ZkZeZlYqQhecaeSxWldgLXo9PppdIa1N3xu865Ccnl4clrDG54c1l2GFB
0HLqWVpKMzmEENy7iATnKYvkWSqZHktuYYWhZG4cja3nu9KqC4JBWwv5LOLq147m
7QHugyczs61ibpxLMS+yxTST2OC4xqGhSDYey/KBmb3d6noAZ9r/5De5An6g1hpp
e4e+V7f6Hpsy818ZDOTSDq4PxTTFl7w7+lq6wvcHmhoGJuG2ZaKAmB46+UKE3/Ms
VH7gZvfQsdo7WTHOZyaS4aDIHRG1VRrTMKcxRshNQTaXmW3a4BNI2MYUowbDRKcw
XobKTr/e6iis9iqmsd7DnLp750dOg469tkFOgjfCVou5wdwTrZq/yevCZWdDRqch
MREaBWFzbnr1ojz0Q1H7JlsQmwNP9cDoSZ5FXGVS4vx/hqxmFjHh3dRERnSiKkc7
7Q7JlS0YjXrMENnS3a0zIxnCRzshB6H6QO36NyvZLDfzgf7MEK0=
=KW+I
-----END PGP SIGNATURE-----

--Izn7cH1Com+I3R9J--




From unknown Wed Jun 25 03:57:48 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo@famulari.name>
Subject: bug#25940: closed ([PATCH] gnu: kio: Fix CVE-2017-6410)
Message-ID: <handler.25940.D25940.148995504217115.notifdone@debbugs.gnu.org>
References: <20170319202345.GD19779@macbook42.flashner.co.il>
 <20170302224431.GA15483@jasmine>
X-Gnu-PR-Message: they-closed 25940
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 25940@debbugs.gnu.org
Date: Sun, 19 Mar 2017 20:25:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1489955103-17199-1"

This is a multi-part message in MIME format...

------------=_1489955103-17199-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 25940@debbugs.gnu.org.

--=20
25940: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D25940
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1489955103-17199-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 25940-done) by debbugs.gnu.org; 19 Mar 2017 20:24:02 +0000
Received: from localhost ([127.0.0.1]:35507 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1cphMw-0004Rp-9Z
	for submit@debbugs.gnu.org; Sun, 19 Mar 2017 16:24:02 -0400
Received: from flashner.co.il ([178.62.234.194]:50759)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@flashner.co.il>) id 1cphMu-0004RW-V4
 for 25940-done@debbugs.gnu.org; Sun, 19 Mar 2017 16:24:01 -0400
Received: from localhost (85.64.232.168.dynamic.barak-online.net
 [85.64.232.168])
 by flashner.co.il (Postfix) with ESMTPSA id C9ECC4005F
 for <25940-done@debbugs.gnu.org>; Sun, 19 Mar 2017 20:23:54 +0000 (UTC)
Date: Sun, 19 Mar 2017 22:23:45 +0200
From: Efraim Flashner <efraim@flashner.co.il>
To: 25940-done@debbugs.gnu.org
Subject: [PATCH] gnu: kio: Fix CVE-2017-6410
Message-ID: <20170319202345.GD19779@macbook42.flashner.co.il>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="MAH+hnPXVZWQ5cD/"
Content-Disposition: inline
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 25940-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)


--MAH+hnPXVZWQ5cD/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Looks like this one was merged already

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--MAH+hnPXVZWQ5cD/
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAljO6NEACgkQ9MHTkX6s
7pMzARAAnli85/fUuOfeAwI8G/eoACUXq7VhEf/tDbDyMXMK5FxKqo7YPd7sh/lM
RtL6IHVfemZrKCFUnMjlK7DBKiX0d20miBm7MPfFhRffg8OFTCvoL8OT/Wx21EDT
T1oug0SjuEGndNGO5bHW85TvmucOND2Oay6NBk8C4rMawdlYTf3rYMed4FS1ltln
sgCfOFit6DjtsifLkOUMI4NKW/kJirTqo4S+BdQhAJmWKpo8F4jfo98LCl5sXvp0
3bMDX1LgKHuXUiioZYxBmcxgdIfVjwP0oRv1dK0UqqaaANLF0MKPc1pFad1UHQ7e
YjHmxH2Ejj2hEWuKJaBcqB20Xu6iWbwfs1dnPLyeC5VK5cBhv8wGwLF5JYxtF/RQ
o5NB/0kpjmBumoXJs7Jz9fjUpXNAtGaQ8tJ+nGvkqmhPChLJjrwh5vmuYfv6I6dJ
RwrqXSpvGTmWSDEYoc7qlU5EZ8brEdcnx+j5n0gZWrkgO02/KlRx5rYGjyJR4YeA
aoaCG6FqsuyRV+H1oDBDzBI2EVD/FshU39bwZRN7LDarHmnqLlRS8Ji2NG95zMcU
M+p/0ws/jQA2tQ//4dykf4ZzyxMSz8nBPSfc/xmyl0+GZpWaQQF1ExEPzESFxzPL
mLpgmzKnXzqMiu7dyjET23NlQ91YtyrjdCOhVjkUpHZ2MJbZ8lY=
=t2ro
-----END PGP SIGNATURE-----

--MAH+hnPXVZWQ5cD/--


------------=_1489955103-17199-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 2 Mar 2017 22:44:58 +0000
Received: from localhost ([127.0.0.1]:37069 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1cjZSu-0004GV-JQ
	for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:57 -0500
Received: from eggs.gnu.org ([208.118.235.92]:58348)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1cjZSr-0004GC-6g
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSk-0004ft-Gj
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:43 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:54134)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1cjZSk-0004fo-DV
 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 17:44:42 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49315)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSi-0005MD-SU
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1cjZSe-0004ce-EF
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:40 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:43428)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1cjZSe-0004bM-8P
 for guix-patches@gnu.org; Thu, 02 Mar 2017 17:44:36 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 7D06320C25;
 Thu,  2 Mar 2017 17:44:33 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Thu, 02 Mar 2017 17:44:33 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=Apb
 q5KyEJ6Kh+URbA9AX42g+f5k=; b=n6dB/fMJ2VIiXnmE2vVI6ZnFkBvOcbzJQH9
 jxafasGT6k78ntpS9Ene2L6DztspROQSP79aNoGHegiIVo9iXTgHsXcNOZzi7GRs
 8L2pIdkQ/IV2St7yhc9cZKXQcMKh9In8EiCLhTUv5rrQlcz+FQGKzhrvCizLuYon
 yVxKB6IQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=smtpout; bh=Apbq5KyEJ6Kh+URbA9AX42g+f5k=; b=Prwwy
 pAnauXI7l/eP423W8sNZuV1gzYe/rfw+xfUUrfIdADM7mqVfPWiEADuZbwYjaT3w
 qC8hn7dECFQGYpFElwii/emn25tTf1/q2ZHEpbcQ1k9N0SdJB086f2uyAT2O59LN
 joklUbhcM1GomoMLpzY0/4xe+/fEPCr06eEUYw=
X-ME-Sender: <xms:UaC4WEt1Pvo5tEi5ehiSN1n9RbMBlMSDCCQ39Zh47r03cpzluwJyYw>
X-Sasl-enc: cv5ZHzSQtug16N2ZM6RAxqgmxYu0Xh4ifDQGIUx3PgzX 1488494673
Received: from localhost (unknown [172.56.28.9])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3794B24614
 for <guix-patches@gnu.org>; Thu,  2 Mar 2017 17:44:33 -0500 (EST)
Date: Thu, 2 Mar 2017 17:44:31 -0500
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
Message-ID: <20170302224431.GA15483@jasmine>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
User-Agent: Mutt/1.8.0 (2017-02-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.9 (/)


--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline



--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-kio-Fix-CVE-2017-6410.patch"

>From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 2 Mar 2017 17:35:43 -0500
Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.

* gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
---
 gnu/local.mk                                 |  1 +
 gnu/packages/kde-frameworks.scm              |  1 +
 gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 406e0dc96..297b40182 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -649,6 +649,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
   %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
   %D%/packages/patches/khmer-use-libraries.patch                \
+  %D%/packages/patches/kio-CVE-2017-6410.patch			\
   %D%/packages/patches/kmod-module-directory.patch		\
   %D%/packages/patches/kobodeluxe-paths.patch			\
   %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch	\
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 36c285156..ba4ead2d6 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces memory consumption.")
                     "mirror://kde/stable/frameworks/"
                     (version-major+minor version) "/"
                     name "-" version ".tar.xz"))
+              (patches (search-patches "kio-CVE-2017-6410.patch"))
               (sha256
                (base32
                 "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))
diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
new file mode 100644
index 000000000..748636f80
--- /dev/null
+++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-6410, "Information Leak when accessing https when using a
+malicious PAC file":
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
+https://www.kde.org/info/security/advisory-20170228-1.txt
+
+Patch copied from upstream source repository:
+
+https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f7..2485c54 100644
+--- a/src/kpac/script.cpp
++++ b/src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+         }
+     }
+ 
++    QUrl cleanUrl = url;
++    cleanUrl.setUserInfo(QString());
++    if (cleanUrl.scheme() == QLatin1String("https")) {
++        cleanUrl.setPath(QString());
++        cleanUrl.setQuery(QString());
++    }
++
+     QScriptValueList args;
+-    args << url.url();
+-    args << url.host();
++    args << cleanUrl.url();
++    args << cleanUrl.host();
+ 
+     QScriptValue result = func.call(QScriptValue(), args);
+     if (result.isError()) {
+-- 
+cgit v0.11.2
+
-- 
2.12.0


--2fHTh5uZTiUOsy+g--



------------=_1489955103-17199-1--