GNU bug report logs - #25940
[PATCH] gnu: kio: Fix CVE-2017-6410.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 2 Mar 2017 22:45:01 UTC

Severity: normal

Tags: patch

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 25940 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 25940 <at> debbugs.gnu.org
Subject: Re: bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.
Date: Fri, 03 Mar 2017 00:22:13 +0100

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Thu, 2 Mar 2017 17:35:43 -0500
> Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
>
> * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.

LGTM. It would be nice to refresh the KDE packages in the near future.

> ---
>  gnu/local.mk                                 |  1 +
>  gnu/packages/kde-frameworks.scm              |  1 +
>  gnu/packages/patches/kio-CVE-2017-6410.patch | 53 ++++++++++++++++++++++++++++
>  3 files changed, 55 insertions(+)
>  create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 406e0dc96..297b40182 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -649,6 +649,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/jq-CVE-2015-8863.patch			\
>    %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
>    %D%/packages/patches/khmer-use-libraries.patch                \
> +  %D%/packages/patches/kio-CVE-2017-6410.patch			\
>    %D%/packages/patches/kmod-module-directory.patch		\
>    %D%/packages/patches/kobodeluxe-paths.patch			\
>    %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch	\
> diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
> index 36c285156..ba4ead2d6 100644
> --- a/gnu/packages/kde-frameworks.scm
> +++ b/gnu/packages/kde-frameworks.scm
> @@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces memory consumption.")
>                      "mirror://kde/stable/frameworks/"
>                      (version-major+minor version) "/"
>                      name "-" version ".tar.xz"))
> +              (patches (search-patches "kio-CVE-2017-6410.patch"))
>                (sha256
>                 (base32
>                  "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))
> diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
> new file mode 100644
> index 000000000..748636f80
> --- /dev/null
> +++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
> @@ -0,0 +1,53 @@
> +Fix CVE-2017-6410, "Information Leak when accessing https when using a
> +malicious PAC file":
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
> +https://www.kde.org/info/security/advisory-20170228-1.txt
> +
> +Patch copied from upstream source repository:
> +
> +https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
> +
> +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid <at> kde.org>
> +Date: Tue, 28 Feb 2017 19:00:48 +0100
> +Subject: Sanitize URLs before passing them to FindProxyForURL
> +
> +Remove user/password information
> +For https: remove path and query
> +
> +Thanks to safebreach.com for reporting the problem
> +
> +CCMAIL: yoni.fridburg <at> safebreach.com
> +CCMAIL: amit.klein <at> safebreach.com
> +CCMAIL: itzik.kotler <at> safebreach.com
> +---
> + src/kpac/script.cpp | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
> +index a0235f7..2485c54 100644
> +--- a/src/kpac/script.cpp
> ++++ b/src/kpac/script.cpp
> +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
> +         }
> +     }
> + 
> ++    QUrl cleanUrl = url;
> ++    cleanUrl.setUserInfo(QString());
> ++    if (cleanUrl.scheme() == QLatin1String("https")) {
> ++        cleanUrl.setPath(QString());
> ++        cleanUrl.setQuery(QString());
> ++    }
> ++
> +     QScriptValueList args;
> +-    args << url.url();
> +-    args << url.host();
> ++    args << cleanUrl.url();
> ++    args << cleanUrl.host();
> + 
> +     QScriptValue result = func.call(QScriptValue(), args);
> +     if (result.isError()) {
> +-- 
> +cgit v0.11.2
> +
> -- 
> 2.12.0

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 8 years and 70 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.