Ubuntu
kio package

kio: Information Leak when accessing https when using a malicious PAC file

Bug #1668871 reported by wens
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde4libs (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned
kio (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kio: Information Leak when accessing https when using a malicious PAC file
Risk Rating: Medium
CVE: TBC
Versions: kio < 5.32, kdelibs < 4.14.30
Date: 28 February 2017

Overview
========
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

Solution
========
Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

Or apply the following patches:
    kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

Credits
=======
Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
and Amit Klein.

Tags: patch kubuntu

CVE References

wens (alex-volegov)
information type: Private Security → Public Security
wens (alex-volegov)
tags: added: kubuntu
Rik Mills (rikmills)
no longer affects: kio (Ubuntu Trusty)
Revision history for this message
vishnunaini (visred) wrote :

Added kio-yakkety-debdiff.patch

Changed in kde4libs (Ubuntu Yakkety):
status: New → Confirmed
Changed in kio (Ubuntu Yakkety):
status: New → Confirmed
Revision history for this message
vishnunaini (visred) wrote :

Added kde4libs-yakkety-debdiff.patch

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "kio-yakkety-debdiff.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs in comment #1 and #2. Packages are building now with a slight changelog whitespace change and will be released as security updates.

Revision history for this message
vishnunaini (visred) wrote :

Why did the kde4libs amd64 build in ubuntu-security-proposed fail? It built fine in my ppa.

my ppa: https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages

https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+build/12070850

ubuntu-security-proposed build: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/12071418

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There was no build log, probably a launchpad failure. I've mashed the retry button.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.26.0-0ubuntu2.1

---------------
kio (5.26.0-0ubuntu2.1) yakkety-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Wed, 01 Mar 2017 14:28:14 +0530

Changed in kio (Ubuntu Yakkety):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.22-0ubuntu2.1

---------------
kde4libs (4:4.14.22-0ubuntu2.1) yakkety-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Wed, 01 Mar 2017 14:38:27 +0530

Changed in kde4libs (Ubuntu Yakkety):
status: Confirmed → Fix Released
Revision history for this message
vishnunaini (visred) wrote :

debdiff for kio in xenial is attached.

Revision history for this message
vishnunaini (visred) wrote :

debdiff for kde4libs in xenial is attached.

Changed in kio (Ubuntu Xenial):
status: New → Confirmed
Changed in kde4libs (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #9 and #10. Packages are building with a changelog whitespace and pocket change and will be released as security updates. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.16-0ubuntu3.1

---------------
kde4libs (4:4.14.16-0ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
    - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
    - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
      and Amit Klein for reporting this issue, Albert Astals Cid for fixing
      this issue.
    - No CVE number.
    - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Thu, 02 Mar 2017 21:43:06 +0530

Changed in kde4libs (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.18.0-0ubuntu1.1

---------------
kio (5.18.0-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
    - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
    - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
      and Amit Klein for reporting this issue, Albert Astals Cid for fixing
      this issue.
    - No CVE number.
    - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Thu, 02 Mar 2017 21:17:20 +0530

Changed in kio (Ubuntu Xenial):
status: Confirmed → Fix Released
vishnunaini (visred)
Changed in kde4libs (Ubuntu Zesty):
status: New → Confirmed
Changed in kio (Ubuntu Zesty):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.31.0-0ubuntu2

---------------
kio (5.31.0-0ubuntu2) zesty; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- Rik Mills <email address hidden> Thu, 02 Mar 2017 21:55:03 +0000

Changed in kio (Ubuntu Zesty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.28-0ubuntu3

---------------
kde4libs (4:4.14.28-0ubuntu3) zesty; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
     - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
     - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- Rik Mills <email address hidden> Sat, 04 Mar 2017 10:07:23 +0000

Changed in kde4libs (Ubuntu Zesty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.3-0ubuntu0.4

---------------
kde4libs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=medium

  * SECURITY UPDATE: information leak via crafted PAC file (LP: #1668871)
    - debian/patches/CVE-2017-6410.patch: sanitize URLs in
      kio/misc/kpac/script.cpp.
    - CVE-2017-6410

 -- Marc Deslauriers <email address hidden> Wed, 08 Mar 2017 10:25:45 -0500

Changed in kde4libs (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.