KDE has issued an advisory on February 28:
The issue is fixed in kio 5.32 and kdelibs4 4.14.30. Mageia 5 is also affected.
kio 5.32 is now in cauldron
According to distrowatch, the kdelibs4 4.14.30 is now available.
Fixed in cauldron for kdelibs4 too
pushed in testing
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow âDetect Proxy Configuration Automaticallyâ.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Thanks. What about kio-5.5.0-1.mga5?
1. FWIW PAC = "Proxy auto-config", explained in
is the CVE page. No sample PAC file mentioned from there or the KDE advisory link in Comment 0.
3. Comment 0 gives the correct versions for kio (5.32) & kdelibs4 (4.14.30), but only the latter is cited in Comments 2-5. I do not understand the kio version in Comment 7. Patched for Mageia 5? Certainly we need the kio rpm as well.
It looks as if Konqueror web browser might be an appropriate test vehicle.
Advisory added to svn, but will have to be updated once the kio srpm is updated.
Removed kio from advisory in svn.
kio is experimental only on Mageia 5.
Without information on how to configure bind or other name servers to return
the malicious PAC file, or the contents of the file, just testing that kdelibs4
validating the update
An update for this issue has been pushed to the Mageia Updates repository.