Bug#856889: marked as done (kio: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file)

To: Maximiliano Curia <maxy@debian.org>
Subject: Bug#856889: marked as done (kio: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 05 Apr 2017 08:51:09 +0000
Message-id: <[🔎] handler.856889.D856889.14913821704857.ackdone@bugs.debian.org>
References: <E1cvgd7-0007k1-HO@fasolo.debian.org> <148874680219.8499.6550333285751329748.reportbug@eldamar.local>

Your message dated Wed, 05 Apr 2017 08:49:29 +0000
with message-id <E1cvgd7-0007k1-HO@fasolo.debian.org>
and subject line Bug#856889: fixed in kio 5.28.0-2
has caused the Debian Bug report #856889,
regarding kio: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856889
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kio: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 05 Mar 2017 21:46:42 +0100
Message-id: <148874680219.8499.6550333285751329748.reportbug@eldamar.local>

Source: kio
Version: 5.22.0-1
Severity: important
Tags: patch upstream security

Hi,

the following vulnerability was published for kio.

CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https URL (potentially
| including Basic Authentication credentials, a query string, or
| PATH_INFO), which allows remote attackers to obtain sensitive
| information via a crafted PAC file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6410
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
[1] https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
[2] https://www.kde.org/info/security/advisory-20170228-1.txt

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 856889-close@bugs.debian.org
Subject: Bug#856889: fixed in kio 5.28.0-2
From: Maximiliano Curia <maxy@debian.org>
Date: Wed, 05 Apr 2017 08:49:29 +0000
Message-id: <E1cvgd7-0007k1-HO@fasolo.debian.org>

Source: kio
Source-Version: 5.28.0-2

We believe that the bug you reported is fixed in the latest version of
kio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856889@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated kio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Apr 2017 10:10:59 +0200
Source: kio
Binary: libkf5kio-dev kio libkf5kiocore5 libkf5kiofilewidgets5 libkf5kiogui5 libkf5kiontlm5 libkf5kiowidgets5 kio-dev
Architecture: source
Version: 5.28.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
 kio        - Resource and network access abstraction
 kio-dev    - transitional dummy package
 libkf5kio-dev - Resource and network access abstraction
 libkf5kiocore5 - Resource and network access abstraction
 libkf5kiofilewidgets5 - Resource and network access abstraction
 libkf5kiogui5 - Resource and network access abstraction
 libkf5kiontlm5 - Resource and network access abstraction
 libkf5kiowidgets5 - Resource and network access abstraction
Closes: 856889
Changes:
 kio (5.28.0-2) unstable; urgency=medium
 .
   * Add new upstream patches, to improve file dialog's list:
     Never-stretch-the-last-date-column-in-the-file-dialog.patch,
     Also-change-the-resize-mode-the-other-way.patch and
   * Add new upstream patch:
     Allow-uppercase-checksums-matching-in-Checksums-tab.patch
   * Add new upstream patchs to fix the way the flags are being passed:
     ForwardingSlaveBase-fix-passing-of-Overwrite-flag-to-kio_.patch,
     ForwardingSlaveBase-fix-passing-of-Overwrite-flag-to-kio_.patch
   * Add new upstream patch:
     kssl-Ensure-user-certificate-directory-has-been-created-b.patch
   * Add new upstream patch:
     Fix-memleak-in-KDynamicJobTracker-KWidgetJobTracker-needs.patch
   * Add new upstream patch:
     Fix-parsing-of-directories-listing-on-a-specific-ftp-serv.patch
   * Add new upstream patch for CVE-2017-6410:
     Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch.
     Thanks to Salvatore Bonaccorso for reporting (Closes: 856889)
   * Add new upstream patch: keep-query-encoding-when-HTTP-Proxy-is-used.patch
   * Add new upstream patch: kioexec-fix-support-for-suggestedfilename.patch
   * Add new upstream patch, to fix the testsuite:
     Fix-KDynamicJobTrackerTest-for-linkers-dropping-linked-li.patch
Checksums-Sha1:
 dad37440cfd7e132277010105903c3d43e03d2f6 3427 kio_5.28.0-2.dsc
 b97f77b7a9fca1281693d6485485c4b7502f52de 43652 kio_5.28.0-2.debian.tar.xz
 a90be6f27ec9671ee4310ecd83e0ce994fdd2998 13458 kio_5.28.0-2_source.buildinfo
Checksums-Sha256:
 246ca79a15f5132ba0416dbc35b72bdc3e7c08f67dbb5f77085198c5feea1d97 3427 kio_5.28.0-2.dsc
 200e94cc7126e282d65ef81bf1fdf8ffbe4800e8168d0421f72a545e798ddd25 43652 kio_5.28.0-2.debian.tar.xz
 fd4bcc88ac23005c37cc0d1fdfaeb5ae41f507784795575b1a870bb0be65b1ec 13458 kio_5.28.0-2_source.buildinfo
Files:
 32ffad36554ef6742f5a562ff2b0885d 3427 libs optional kio_5.28.0-2.dsc
 cc96732d3eefde5ed613daccef5f369c 43652 libs optional kio_5.28.0-2.debian.tar.xz
 0bab5e9ebea61e4cec84528bce2e46f5 13458 libs optional kio_5.28.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAljkri0ACgkQxxl2mbKb
Iyrs6A/+MGJ4yeRVGRdA1/TAgoUE87sZbSdpcig1uBta4CtkNBIkXvpeFlBOmN99
PlzsOC22kfiSepKBDl/7xAUzrh8Ahzqn0t2mJqWPJ4eaTyoeIozHg8NcsIVGJzLC
o82/nNPzCsjhu+KcoDmgLEt/rsXbfFZJ66QDgtBQ/0JRSSYouTFJOYm/S0maz//A
xj4t68hiKcFS0eRQOFOtzW6tySHO5d9SbpXySbVTYJ0wEGHjOPnkTnX4Hlno5uWv
z9/hNYBM+D1zsXqCQtyMp0Hqxx0ktMHkiGHqzQbl3EOPbruP/gU1O3gyNOSdt+k1
iFvwgfGv55GhTBqnHLs24cO1AgVn6bBrEL3WNp9mmD2pYI9UUgRQu46ONBK99d/0
VRLsrr/RVlHYM00y4cFWcsKXH54gGisog1/ssupo8G4jhkss/KyToGufjrVO6NjT
npLaG9poukGPuaQyo7L4Vq+NMRqMOcIgJEVDJfZ/JuKYKpKZrSsnRK/Em+ARe/2J
ybP0q8AUIr6Dq01vikcb1ljAiBKVHt2c9i4jUJMmJmRtiaLo7azDpPj79ndg8ovg
/U6kU8aQZB8QUHH/EXoFtgjTIKoTd2dyc0G03as6vjG5KrZJeKiSCSpmLmCRfHW5
N8YUxnAEXl25oWbXiOxNCCCD9C5E7et10uIBnxkPnzo8aTnqWgc=
=r0cl
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#859603: korganizer: cant add CalDav URL
Next by Date: Processing of kio_5.28.0-2_source.changes
Previous by thread: Bug#859603: korganizer: cant add CalDav URL
Next by thread: Processing of kio_5.28.0-2_source.changes
Index(es):
- Date
- Thread