Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 611256

Summary: <kde-frameworks/kio-5.32: Information Leak when accessing https when using a malicious PAC file
Product: Gentoo Linux Reporter: Johannes Huber (RETIRED) <johu>
Component: StabilizationAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
Whiteboard: A4 [noglsa cve]
Package list:
=kde-frameworks/kio-5.29.0-r1
 Runtime testing required: ---

Description Johannes Huber (RETIRED) gentoo-dev 2017-02-28 20:29:20 UTC 
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

https://www.kde.org/info/security/advisory-20170228-1.txt
Comment 1 Johannes Huber (RETIRED) gentoo-dev 2017-02-28 21:03:42 UTC 
Patch backported in =kde-frameworks/kio-5.{29,31}.0-r1

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b4b314b09abdf8166816004850cf357eb48d904
Comment 2 Johannes Huber (RETIRED) gentoo-dev 2017-02-28 21:05:13 UTC 
Dear arches, please stabilize =kde-frameworks/kio-5.29.0-r1. Thanks in advance.
Comment 3 Michael Palimaka (kensington) gentoo-dev 2017-03-02 09:18:29 UTC 
*** Bug 610794 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-02 10:31:56 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-02 10:50:33 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Michael Palimaka (kensington) gentoo-dev 2017-03-02 10:57:43 UTC 
Cleanup done.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-07-15 21:48:31 UTC 
GLSA Vote: No