[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410.
|
From: |
Marius Bakke |
|
Subject: |
bug#25940: [PATCH] gnu: kio: Fix CVE-2017-6410. |
|
Date: |
Fri, 03 Mar 2017 00:22:13 +0100 |
|
User-agent: |
Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Leo Famulari <address@hidden> writes:
> From 32670b1f90403faad3eb45f69a345777e472d4eb Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Thu, 2 Mar 2017 17:35:43 -0500
> Subject: [PATCH] gnu: kio: Fix CVE-2017-6410.
>
> * gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
LGTM. It would be nice to refresh the KDE packages in the near future.
> ---
> gnu/local.mk | 1 +
> gnu/packages/kde-frameworks.scm | 1 +
> gnu/packages/patches/kio-CVE-2017-6410.patch | 53
> ++++++++++++++++++++++++++++
> 3 files changed, 55 insertions(+)
> create mode 100644 gnu/packages/patches/kio-CVE-2017-6410.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 406e0dc96..297b40182 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -649,6 +649,7 @@ dist_patch_DATA =
> \
> %D%/packages/patches/jq-CVE-2015-8863.patch \
> %D%/packages/patches/kdbusaddons-kinit-file-name.patch \
> %D%/packages/patches/khmer-use-libraries.patch \
> + %D%/packages/patches/kio-CVE-2017-6410.patch \
> %D%/packages/patches/kmod-module-directory.patch \
> %D%/packages/patches/kobodeluxe-paths.patch \
> %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \
> diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
> index 36c285156..ba4ead2d6 100644
> --- a/gnu/packages/kde-frameworks.scm
> +++ b/gnu/packages/kde-frameworks.scm
> @@ -2206,6 +2206,7 @@ makes starting KDE applications faster and reduces
> memory consumption.")
> "mirror://kde/stable/frameworks/"
> (version-major+minor version) "/"
> name "-" version ".tar.xz"))
> + (patches (search-patches "kio-CVE-2017-6410.patch"))
> (sha256
> (base32
> "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))
> diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch
> b/gnu/packages/patches/kio-CVE-2017-6410.patch
> new file mode 100644
> index 000000000..748636f80
> --- /dev/null
> +++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
> @@ -0,0 +1,53 @@
> +Fix CVE-2017-6410, "Information Leak when accessing https when using a
> +malicious PAC file":
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
> +https://www.kde.org/info/security/advisory-20170228-1.txt
> +
> +Patch copied from upstream source repository:
> +
> +https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
> +
> +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <address@hidden>
> +Date: Tue, 28 Feb 2017 19:00:48 +0100
> +Subject: Sanitize URLs before passing them to FindProxyForURL
> +
> +Remove user/password information
> +For https: remove path and query
> +
> +Thanks to safebreach.com for reporting the problem
> +
> +CCMAIL: address@hidden
> +CCMAIL: address@hidden
> +CCMAIL: address@hidden
> +---
> + src/kpac/script.cpp | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
> +index a0235f7..2485c54 100644
> +--- a/src/kpac/script.cpp
> ++++ b/src/kpac/script.cpp
> +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
> + }
> + }
> +
> ++ QUrl cleanUrl = url;
> ++ cleanUrl.setUserInfo(QString());
> ++ if (cleanUrl.scheme() == QLatin1String("https")) {
> ++ cleanUrl.setPath(QString());
> ++ cleanUrl.setQuery(QString());
> ++ }
> ++
> + QScriptValueList args;
> +- args << url.url();
> +- args << url.host();
> ++ args << cleanUrl.url();
> ++ args << cleanUrl.host();
> +
> + QScriptValue result = func.call(QScriptValue(), args);
> + if (result.isError()) {
> +--
> +cgit v0.11.2
> +
> --
> 2.12.0
signature.asc
Description: PGP signature