svn commit: r435895 - head/security/vuxml
Tobias C. Berner
tcberner at FreeBSD.org
Sat Mar 11 10:28:24 UTC 2017
Author: tcberner
Date: Sat Mar 11 10:28:22 2017
New Revision: 435895
URL: https://svnweb.freebsd.org/changeset/ports/435895
Log:
Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password at host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow ``Detect Proxy Configuration Automatically''
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Reviewed by: mat, rakuco
Approved by: rakuco (mentor), mat (mentor)
Obtained from: https://marc.info/?l=kde-announce&m=148831226706885&w=2
MFH: 2017Q1
Security: CVE-2017-6410
Differential Revision: https://reviews.freebsd.org/D9908
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Mar 11 09:44:20 2017 (r435894)
+++ head/security/vuxml/vuln.xml Sat Mar 11 10:28:22 2017 (r435895)
@@ -58,6 +58,44 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="f714d8ab-028e-11e7-8042-50e549ebab6c">
+ <topic>kio: Information Leak when accessing https when using a malicious PAC file</topic>
+ <affects>
+ <package>
+ <name>kdelibs</name>
+ <range><lt>4.14.29_10</lt></range>
+ </package>
+ <package>
+ <name>kf5-kio</name>
+ <range><lt>5.31.0_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Albert Astals Cid reports:</p>
+ <blockquote cite="https://www.kde.org/info/security/advisory-20170228-1.txt">
+ <p>Using a malicious PAC file, and then using exfiltration methods in the PAC
+ function FindProxyForURL() enables the attacker to expose full https URLs.</p>
+ <p>This is a security issue since https URLs may contain sensitive
+ information in the URL authentication part (user:password at host), and in the
+ path and the query (e.g. access tokens).</p>
+ <p>This attack can be carried out remotely (over the LAN) since proxy settings
+ allow "Detect Proxy Configuration Automatically".
+ This setting uses WPAD to retrieve the PAC file, and an attacker who has access
+ to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
+ and inject his/her own malicious PAC instead of the legitimate one.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.kde.org/info/security/advisory-20170228-1.txt</url>
+ </references>
+ <dates>
+ <discovery>2017-02-28</discovery>
+ <entry>2017-03-11</entry>
+ </dates>
+ </vuln>
+
<vuln vid="82752070-0349-11e7-b48d-00e04c1ea73d">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list