Bug 20403 - kdelibs4 new security issue CVE-2017-6410
Summary: kdelibs4 new security issue CVE-2017-6410
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2017-03-06 02:16 CET by David Walser
Modified: 2017-03-23 14:02 CET (History)
4 users (show)

See Also:
Source RPM: kio-5.29.0-1.mga6.src.rpm, kdelibs4-4.14.27-2.mga6.src.rpm
Status comment:


Description David Walser 2017-03-06 02:16:58 CET
KDE has issued an advisory on February 28:

The issue is fixed in kio 5.32 and kdelibs4 4.14.30.  Mageia 5 is also affected.
David Walser 2017-03-06 02:17:05 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-03-07 18:18:10 CET
kio 5.32 is now in cauldron

CC: (none) => mageia

Comment 2 David Walser 2017-03-10 12:01:27 CET
According to distrowatch, the kdelibs4 4.14.30 is now available.
Comment 3 Nicolas Lécureuil 2017-03-12 09:15:09 CET
Fixed in cauldron for kdelibs4 too

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Nicolas Lécureuil 2017-03-12 23:42:12 CET
pushed in testing

Assignee: kde => bugsquad

Comment 5 Nicolas Lécureuil 2017-03-12 23:58:48 CET
SRPMS: kdelibs4-4.14.30-1.mga5

Assignee: bugsquad => qa-bugs

Comment 6 Nicolas Lécureuil 2017-03-12 23:59:25 CET

Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow âDetect Proxy Configuration Automaticallyâ.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Comment 7 David Walser 2017-03-13 00:43:05 CET
Thanks.  What about kio-5.5.0-1.mga5?
Comment 8 Lewis Smith 2017-03-15 22:03:25 CET
1. FWIW PAC = "Proxy auto-config", explained in

2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
is the CVE page. No sample PAC file mentioned from there or the KDE advisory link in Comment 0.

3. Comment 0 gives the correct versions for kio (5.32) & kdelibs4 (4.14.30), but only the latter is cited in Comments 2-5. I do not understand the kio version in Comment 7. Patched for Mageia 5? Certainly we need the kio rpm as well.

It looks as if Konqueror web browser might be an appropriate test vehicle.

CC: (none) => lewyssmith

Comment 9 Dave Hodgins 2017-03-16 20:15:19 CET
Advisory added to svn, but will have to be updated once the kio srpm is updated.

CC: (none) => davidwhodgins

Comment 10 Dave Hodgins 2017-03-21 21:19:32 CET
Removed kio from advisory in svn.
kio is experimental only on Mageia 5.

Without information on how to configure bind or other name servers to return
the malicious PAC file, or the contents of the file, just testing that kdelibs4
is working.

validating the update

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2017-03-23 08:20:08 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2017-03-23 14:02:24 CET

Summary: kio, kdelibs4 new security issue CVE-2017-6410 => kdelibs4 new security issue CVE-2017-6410

Note You need to log in before you can comment on or make changes to this bug.