Bug#856890: marked as done (kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#856890: marked as done (kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 27 May 2017 12:36:11 +0000
Message-id: <[🔎] handler.856890.D856890.149588836619018.ackdone@bugs.debian.org>
References: <E1dEatf-000IwX-Ga@fasolo.debian.org> <148874688626.9152.8846998823811483661.reportbug@eldamar.local>

Your message dated Sat, 27 May 2017 12:32:43 +0000
with message-id <E1dEatf-000IwX-Ga@fasolo.debian.org>
and subject line Bug#856890: fixed in kde4libs 4:4.14.2-5+deb8u2
has caused the Debian Bug report #856890,
regarding kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 05 Mar 2017 21:48:06 +0100
Message-id: <148874688626.9152.8846998823811483661.reportbug@eldamar.local>

Source: kde4libs
Version: 4:4.14.26-1
Severity: important
Tags: upstream patch security

Hi,

the following vulnerability was published for kde4libs.

CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https URL (potentially
| including Basic Authentication credentials, a query string, or
| PATH_INFO), which allows remote attackers to obtain sensitive
| information via a crafted PAC file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6410
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
[1] https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
[2] https://www.kde.org/info/security/advisory-20170228-1.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 856890-close@bugs.debian.org
Subject: Bug#856890: fixed in kde4libs 4:4.14.2-5+deb8u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 27 May 2017 12:32:43 +0000
Message-id: <E1dEatf-000IwX-Ga@fasolo.debian.org>

Source: kde4libs
Source-Version: 4:4.14.2-5+deb8u2

We believe that the bug you reported is fixed in the latest version of
kde4libs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated kde4libs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 May 2017 14:33:29 +0200
Source: kde4libs
Binary: libkdecore5 libkdeui5 libkpty4 libkdesu5 libkjsapi4 libkjsembed4 libkio5 libkntlm4 libsolid4 libkde3support4 libkfile4 libknewstuff2-4 libknewstuff3-4 libkparts4 libkutils4 libthreadweaver4 libkhtml5 libkimproxy4 libkmediaplayer4 libktexteditor4 libknotifyconfig4 libkdnssd4 libkrosscore4 libkrossui4 libnepomuk4 libnepomukutils4 libnepomukquery4a libplasma3 libkunitconversion4 libkdewebkit5 libkcmutils4 libkemoticons4 libkidletime4 libkprintutils4 libkdeclarative5 kdelibs-bin kdelibs5-plugins kdelibs5-data kdoctools kdelibs5-dev kdelibs5-dbg
Architecture: all source
Version: 4:4.14.2-5+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 856890
Description: 
 kdelibs-bin - core executables for KDE Applications
 kdelibs5-data - core shared data for all KDE Applications
 kdelibs5-dbg - debugging symbols for the KDE Development Platform libraries
 kdelibs5-dev - development files for the KDE Development Platform libraries
 kdelibs5-plugins - core plugins for KDE Applications
 kdoctools  - various tools for accessing application documentation
 libkcmutils4 - utility classes for using KCM modules
 libkde3support4 - KDE 3 Support Library for the KDE 4 Platform
 libkdeclarative5 - declarative library for plasma
 libkdecore5 - KDE Platform Core Library
 libkdesu5  - Console-mode Authentication Library for the KDE Platform
 libkdeui5  - KDE Platform User Interface Library
 libkdewebkit5 - KDE WebKit Library
 libkdnssd4 - DNS-SD Protocol Library for the KDE Platform
 libkemoticons4 - utility classes to deal with emoticon themes
 libkfile4  - File Selection Dialog Library for KDE Platform
 libkhtml5  - KHTML Web Content Rendering Engine
 libkidletime4 - library to provide information about idle time
 libkimproxy4 - Instant Messaging Interface Library for the KDE Platform
 libkio5    - Network-enabled File Management Library for the KDE Platform
 libkjsapi4 - KJS API Library for the KDE Development Platform
 libkjsembed4 - library for binding JavaScript objects to QObjects
 libkmediaplayer4 - KMediaPlayer Interface for the KDE Platform
 libknewstuff2-4 - "Get Hot New Stuff" v2 Library for the KDE Platform
 libknewstuff3-4 - "Get Hot New Stuff" v3 Library for the KDE Platform
 libknotifyconfig4 - library for configuring KDE Notifications
 libkntlm4  - NTLM Authentication Library for the KDE Platform
 libkparts4 - Framework for the KDE Platform Graphical Components
 libkprintutils4 - utility classes to deal with printing
 libkpty4   - Pseudo Terminal Library for the KDE Platform
 libkrosscore4 - Kross Core Library
 libkrossui4 - Kross UI Library
 libktexteditor4 - KTextEditor interfaces for the KDE Platform
 libkunitconversion4 - Unit Conversion library for the KDE Platform
 libkutils4 - dummy transitional library
 libnepomuk4 - Nepomuk Meta Data Library
 libnepomukquery4a - Nepomuk Query Library for the KDE Platform
 libnepomukutils4 - Nepomuk Utility Library
 libplasma3 - Plasma Library for the KDE Platform
 libsolid4  - Solid Library for KDE Platform
 libthreadweaver4 - ThreadWeaver Library for the KDE Platform
Changes:
 kde4libs (4:4.14.2-5+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410)
     (Closes: #856890)
   * Verify that whoever is calling us is actually who he says he is
     (CVE-2017-8422)
Checksums-Sha1: 
 0d32cae05c12fcfd598ef4d9fe40d56c8d89ffa4 5726 kde4libs_4.14.2-5+deb8u2.dsc
 b251f27ef28bb30c694ad6d6bfaaeaeef75c1c26 265480 kde4libs_4.14.2-5+deb8u2.debian.tar.xz
 fe575ae783525a393143669c167164603268db89 2921952 kdelibs5-data_4.14.2-5+deb8u2_all.deb
Checksums-Sha256: 
 cd12d53e00d42dcf000b06a057db7cb9732ded45712904f4310b78061f41b56c 5726 kde4libs_4.14.2-5+deb8u2.dsc
 513a39e79e73a508de4a2f21174703838524ac68bc22a4bb629c363cf4460b91 265480 kde4libs_4.14.2-5+deb8u2.debian.tar.xz
 d3a24df4d837c8d022cfc66b6785fc3744d2339c1532c559971324d0e236b98f 2921952 kdelibs5-data_4.14.2-5+deb8u2_all.deb
Files: 
 6fc64c2c240b582b34caf35714e0a33d 5726 libs optional kde4libs_4.14.2-5+deb8u2.dsc
 70b3a9ef4a23bea28624b93899c3cfae 265480 libs optional kde4libs_4.14.2-5+deb8u2.debian.tar.xz
 1072e7d27b9ccf1ee814f0b0de1a66ec 2921952 libs optional kdelibs5-data_4.14.2-5+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkUi4pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuvYQAIXTGyQeRIB0wd9H+KrKevDkBsRqgvLR
XZWz8Rgs0myppJbHCKrrPNQWSWsMUhp7Wkddxq7ymaW7CaRxHpRT2nF4XQjoLtbq
Z3KQoq20dK5GuKEhnSDL9Ib2VBn9D2KBh58NHTQ/9uHMptcNimiQ4Muboe/U/2yf
iF58Cjei3pWG/jdP3M8VTN63eP6e0usJM2R+ZcuUAphsHGH7xZRJJAIGBbGK6WzJ
TPX7BnZi9pUSZ4SWzlrsTgaKboy8kXuN5o7hw3Y/mMU9AkMTrTNFLgt+oxhZU2Uu
UeSYmpxgRvo5pTbuXggB1XN8qUeYc10jLi0LpDedLxM03Eyf12g3eRiSVHR/hO7T
/26L0vgU2PFKY6S9PtHeeW1UZp7AX3l2w0pOuo3YeIVSAR9uecWuCCX8NSOnxjhu
RAYKrTZJBV0q+RwN8ip0PPfOj6bNNQ3V1tJfqvrme5Kr63ezBk0A7LZgGvBhZyFV
LYCJjoJ8iATIiMYJtaeqVBN7bWwnoqfIyG6fIDwQdyeOi4xO6K/UcZia7cnJLHvO
HWdF0OobDjObKCBfC9Uj2j43CoN9d26egrdgept1HMboOy0bJGY+J/k3uMW5Hhah
vSmJxSz/iv7nDvD1YlSjTaeW5PKnn3VLV3sGJZFijBe5jGVxhYYCyKLMbWKCqIOy
V5T5gJkKAPoh
=8DL9
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#863457: kwin-x11: Noise pixels in KWrite/Konsole when compositing
Next by Date: kde4libs_4.14.2-5+deb8u2_multi.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: Bug#863457: kwin-x11: Noise pixels in KWrite/Konsole when compositing
Next by thread: kde4libs_4.14.2-5+deb8u2_multi.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Index(es):
- Date
- Thread