group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1668871@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Mar 2017 09:28:30 -0000
Reply-to: Bug 1668871 <1668871@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package kio - 5.31.0-0ubuntu2

---------------
kio (5.31.0-0ubuntu2) zesty; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- Rik Mills <rikmills@xxxxxxxxxxx>  Thu, 02 Mar 2017 21:55:03 +0000

** Changed in: kio (Ubuntu Zesty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1668871

Title:
  kio: Information Leak when accessing https when using a malicious PAC
  file

Status in kde4libs package in Ubuntu:
  Confirmed
Status in kio package in Ubuntu:
  Fix Released
Status in kde4libs source package in Trusty:
  New
Status in kde4libs source package in Xenial:
  Fix Released
Status in kio source package in Xenial:
  Fix Released
Status in kde4libs source package in Yakkety:
  Fix Released
Status in kio source package in Yakkety:
  Fix Released
Status in kde4libs source package in Zesty:
  Confirmed
Status in kio source package in Zesty:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =============================

  Title:          kio: Information Leak when accessing https when using a malicious PAC file
  Risk Rating:    Medium
  CVE:            TBC
  Versions:       kio < 5.32, kdelibs < 4.14.30
  Date:           28 February 2017

  
  Overview
  ========
  Using a malicious PAC file, and then using exfiltration methods in the PAC
  function FindProxyForURL() enables the attacker to expose full https URLs.

  This is a security issue since https URLs may contain sensitive
  information in the URL authentication part (user:password@host), and in the
  path and the query (e.g. access tokens).

  This attack can be carried out remotely (over the LAN) since proxy settings
  allow “Detect Proxy Configuration Automatically”.
  This setting uses WPAD to retrieve the PAC file, and an attacker who has access
  to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
  and inject his/her own malicious PAC instead of the legitimate one.

  Solution
  ========
  Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

  Or apply the following patches:
      kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
  kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

  Credits
  =======
  Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
  and Amit Klein.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions