Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611256 - <kde-frameworks/kio-5.32: Information Leak when accessing https when using a malicious PAC file
Summary: <kde-frameworks/kio-5.32: Information Leak when accessing https when using a ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://commits.kde.org/kio/f9d0cb47c...
Whiteboard: A4 [noglsa cve]
Keywords:
: 610794 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-28 20:29 UTC by Johannes Huber (RETIRED)
Modified: 2017-07-15 21:48 UTC (History)
0 users

See Also:
Package list:
=kde-frameworks/kio-5.29.0-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Huber (RETIRED) gentoo-dev 2017-02-28 20:29:20 UTC 
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

https://www.kde.org/info/security/advisory-20170228-1.txt
Comment 1 Johannes Huber (RETIRED) gentoo-dev 2017-02-28 21:03:42 UTC 
Patch backported in =kde-frameworks/kio-5.{29,31}.0-r1

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b4b314b09abdf8166816004850cf357eb48d904
Comment 2 Johannes Huber (RETIRED) gentoo-dev 2017-02-28 21:05:13 UTC 
Dear arches, please stabilize =kde-frameworks/kio-5.29.0-r1. Thanks in advance.
Comment 3 Michael Palimaka (kensington) gentoo-dev 2017-03-02 09:18:29 UTC 
*** Bug 610794 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-02 10:31:56 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-02 10:50:33 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Michael Palimaka (kensington) gentoo-dev 2017-03-02 10:57:43 UTC 
Cleanup done.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-07-15 21:48:31 UTC 
GLSA Vote: No