Bug 20403 - kdelibs4 new security issue CVE-2017-6410
Summary: kdelibs4 new security issue CVE-2017-6410
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-06 02:16 CET by David Walser
Modified: 2017-03-23 14:02 CET (History)
4 users (show)

See Also:
Source RPM: kio-5.29.0-1.mga6.src.rpm, kdelibs4-4.14.27-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-03-06 02:16:58 CET
KDE has issued an advisory on February 28:
https://www.kde.org/info/security/advisory-20170228-1.txt

The issue is fixed in kio 5.32 and kdelibs4 4.14.30.  Mageia 5 is also affected.
Comment 1 Nicolas Lécureuil 2017-03-07 18:18:10 CET
kio 5.32 is now in cauldron
Comment 2 David Walser 2017-03-10 12:01:27 CET
According to distrowatch, the kdelibs4 4.14.30 is now available.
Comment 3 Nicolas Lécureuil 2017-03-12 09:15:09 CET
Fixed in cauldron for kdelibs4 too
Comment 4 Nicolas Lécureuil 2017-03-12 23:42:12 CET
pushed in testing
Comment 5 Nicolas Lécureuil 2017-03-12 23:58:48 CET
SRPMS: kdelibs4-4.14.30-1.mga5
Comment 6 Nicolas Lécureuil 2017-03-12 23:59:25 CET
Advisory:

Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow âDetect Proxy Configuration Automaticallyâ.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Comment 7 David Walser 2017-03-13 00:43:05 CET
Thanks.  What about kio-5.5.0-1.mga5?
Comment 8 Lewis Smith 2017-03-15 22:03:25 CET
1. FWIW PAC = "Proxy auto-config", explained in
 https://en.wikipedia.org/wiki/Proxy_auto-config

2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
is the CVE page. No sample PAC file mentioned from there or the KDE advisory link in Comment 0.

3. Comment 0 gives the correct versions for kio (5.32) & kdelibs4 (4.14.30), but only the latter is cited in Comments 2-5. I do not understand the kio version in Comment 7. Patched for Mageia 5? Certainly we need the kio rpm as well.

It looks as if Konqueror web browser might be an appropriate test vehicle.
Comment 9 Dave Hodgins 2017-03-16 20:15:19 CET
Advisory added to svn, but will have to be updated once the kio srpm is updated.
Comment 10 Dave Hodgins 2017-03-21 21:19:32 CET
Removed kio from advisory in svn.
kio is experimental only on Mageia 5.
https://wiki.mageia.org/en/Mageia_5_Errata#KDE_Frameworks_5_.2F_Plasma_5

Without information on how to configure bind or other name servers to return
the malicious PAC file, or the contents of the file, just testing that kdelibs4
is working.

validating the update
Comment 11 Mageia Robot 2017-03-23 08:20:08 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0079.html

Note You need to log in before you can comment on or make changes to this bug.