KDE has issued an advisory on February 28: https://www.kde.org/info/security/advisory-20170228-1.txt The issue is fixed in kio 5.32 and kdelibs4 4.14.30. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
kio 5.32 is now in cauldron
CC: (none) => mageia
According to distrowatch, the kdelibs4 4.14.30 is now available.
Fixed in cauldron for kdelibs4 too
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
pushed in testing
Assignee: kde => bugsquad
SRPMS: kdelibs4-4.14.30-1.mga5
Assignee: bugsquad => qa-bugs
Advisory: Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens). This attack can be carried out remotely (over the LAN) since proxy settings allow âDetect Proxy Configuration Automaticallyâ. This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one.
Thanks. What about kio-5.5.0-1.mga5?
1. FWIW PAC = "Proxy auto-config", explained in https://en.wikipedia.org/wiki/Proxy_auto-config 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410 is the CVE page. No sample PAC file mentioned from there or the KDE advisory link in Comment 0. 3. Comment 0 gives the correct versions for kio (5.32) & kdelibs4 (4.14.30), but only the latter is cited in Comments 2-5. I do not understand the kio version in Comment 7. Patched for Mageia 5? Certainly we need the kio rpm as well. It looks as if Konqueror web browser might be an appropriate test vehicle.
CC: (none) => lewyssmith
Advisory added to svn, but will have to be updated once the kio srpm is updated.
CC: (none) => davidwhodgins
Removed kio from advisory in svn. kio is experimental only on Mageia 5. https://wiki.mageia.org/en/Mageia_5_Errata#KDE_Frameworks_5_.2F_Plasma_5 Without information on how to configure bind or other name servers to return the malicious PAC file, or the contents of the file, just testing that kdelibs4 is working. validating the update
Keywords: (none) => validated_updateWhiteboard: (none) => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0079.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Summary: kio, kdelibs4 new security issue CVE-2017-6410 => kdelibs4 new security issue CVE-2017-6410