Bug 20403

Summary: kdelibs4 new security issue CVE-2017-6410
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: kio-5.29.0-1.mga6.src.rpm, kdelibs4-4.14.27-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-03-06 02:16:58 CET 
KDE has issued an advisory on February 28:
https://www.kde.org/info/security/advisory-20170228-1.txt

The issue is fixed in kio 5.32 and kdelibs4 4.14.30.  Mageia 5 is also affected.
David Walser 2017-03-06 02:17:05 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-03-07 18:18:10 CET 
kio 5.32 is now in cauldron

CC: (none) => mageia

Comment 2 David Walser 2017-03-10 12:01:27 CET 
According to distrowatch, the kdelibs4 4.14.30 is now available.
Comment 3 Nicolas Lécureuil 2017-03-12 09:15:09 CET 
Fixed in cauldron for kdelibs4 too

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Nicolas Lécureuil 2017-03-12 23:42:12 CET 
pushed in testing

Assignee: kde => bugsquad

Comment 5 Nicolas Lécureuil 2017-03-12 23:58:48 CET 
SRPMS: kdelibs4-4.14.30-1.mga5

Assignee: bugsquad => qa-bugs

Comment 6 Nicolas Lécureuil 2017-03-12 23:59:25 CET 
Advisory:

Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow âDetect Proxy Configuration Automaticallyâ.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Comment 7 David Walser 2017-03-13 00:43:05 CET 
Thanks.  What about kio-5.5.0-1.mga5?
Comment 8 Lewis Smith 2017-03-15 22:03:25 CET 
1. FWIW PAC = "Proxy auto-config", explained in
 https://en.wikipedia.org/wiki/Proxy_auto-config

2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
is the CVE page. No sample PAC file mentioned from there or the KDE advisory link in Comment 0.

3. Comment 0 gives the correct versions for kio (5.32) & kdelibs4 (4.14.30), but only the latter is cited in Comments 2-5. I do not understand the kio version in Comment 7. Patched for Mageia 5? Certainly we need the kio rpm as well.

It looks as if Konqueror web browser might be an appropriate test vehicle.

CC: (none) => lewyssmith

Comment 9 Dave Hodgins 2017-03-16 20:15:19 CET 
Advisory added to svn, but will have to be updated once the kio srpm is updated.

CC: (none) => davidwhodgins

Comment 10 Dave Hodgins 2017-03-21 21:19:32 CET 
Removed kio from advisory in svn.
kio is experimental only on Mageia 5.
https://wiki.mageia.org/en/Mageia_5_Errata#KDE_Frameworks_5_.2F_Plasma_5

Without information on how to configure bind or other name servers to return
the malicious PAC file, or the contents of the file, just testing that kdelibs4
is working.

validating the update

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2017-03-23 08:20:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0079.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-03-23 14:02:24 CET

Summary: kio, kdelibs4 new security issue CVE-2017-6410 => kdelibs4 new security issue CVE-2017-6410