MFH: r435896 r431563

Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4 Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens). This attack can be carried out remotely (over the LAN) since proxy settings allow ``Detect Proxy Configuration Automatically'' This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one. Reviewed by: mat, rakuco Approved by: rakuco (mentor), mat (mentor) Obtained from: https://marc.info/?l=kde-announce&m=148831226706885&w=2 Security: CVE-2017-6410 Differential Revision: https://reviews.freebsd.org/D9908 Centralize all cmake/modules/FindHUNSPELL.cmake patches in one file. While here, note that the addition of hunspell-1.6 was done upstream too. Approved by: ports-secteam (junovitch), rakuco (mentor)
author: Tobias C. Berner <tcberner@FreeBSD.org> 2017-03-25 20:39:45 +0000
committer: Tobias C. Berner <tcberner@FreeBSD.org> 2017-03-25 20:39:45 +0000
commit: cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2 (patch)
tree: 36a91309c34d1b48a254f2fa73a29e11368aa8f9
parent: c24e4019ac9ae0e03d338d05f10ee93e273d27ed (diff)
download: ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.tar.gz
ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.zip
6 files changed, 93 insertions, 14 deletions
diff --git a/devel/kf5-kio/Makefile b/devel/kf5-kio/Makefile
index fe4383568c2a..b89feb9c3a90 100644
--- a/devel/kf5-kio/Makefile
+++ b/devel/kf5-kio/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	kio
 PORTVERSION=	${KDE_FRAMEWORKS_VERSION}
+PORTREVISION=	1
 CATEGORIES=	devel kde kde-frameworks
 
 MAINTAINER=	kde@FreeBSD.org
diff --git a/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 b/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
new file mode 100644
index 000000000000..77703a9d3a0c
--- /dev/null
+++ b/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
@@ -0,0 +1,43 @@
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f73..2485c54d 100644
+--- src/kpac/script.cpp
++++ src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+         }
+     }
+
++    QUrl cleanUrl = url;
++    cleanUrl.setUserInfo(QString());
++    if (cleanUrl.scheme() == QLatin1String("https")) {
++        cleanUrl.setPath(QString());
++        cleanUrl.setQuery(QString());
++    }
++
+     QScriptValueList args;
+-    args << url.url();
+-    args << url.host();
++    args << cleanUrl.url();
++    args << cleanUrl.host();
+
+     QScriptValue result = func.call(QScriptValue(), args);
+     if (result.isError()) {
+--
+2.11.1
+
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index 110110469763..61f6bd85a567 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_KDELIBS_VERSION}
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	x11 kde
 MASTER_SITES=   KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src
 DIST_SUBDIR=	KDE/${PORTVERSION}
diff --git a/x11/kdelibs4/files/patch-git_2ab2745 b/x11/kdelibs4/files/patch-cmake_modules_FindHUNSPELL.cmake
index 469935807af3..6853675ab016 100644
--- a/x11/kdelibs4/files/patch-git_2ab2745
+++ b/x11/kdelibs4/files/patch-cmake_modules_FindHUNSPELL.cmake
@@ -1,3 +1,11 @@
+Includes the following two upstream commits:
+
+commit c828f8592fcfd6c2a66ebc18a826de38d6a2fef2
+Author: Pino Toscano <pino@kde.org>
+Date:   Sat Dec 31 12:08:59 2016 +0100
+
+    cmake: look for hunspell-1.6 as well
+
 commit 2ab2745eb01f73355c490ac8d5d1837dec84fd6c
 Author: Wolfgang Bauer <wbauer@tmo.at>
 Date:   Thu Oct 20 15:51:29 2016 +0200
@@ -13,7 +21,7 @@ Date:   Thu Oct 20 15:51:29 2016 +0200
  FIND_PATH(HUNSPELL_INCLUDE_DIR hunspell/hunspell.hxx )
  
 -FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-1.3 hunspell-1.2)
-+FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2)
++FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.6 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2)
  
  # handle the QUIETLY and REQUIRED arguments and set HUNSPELL_FOUND to TRUE if 
  # all listed variables are TRUE
diff --git a/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 b/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
new file mode 100644
index 000000000000..99bb4b6146d9
--- /dev/null
+++ b/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
@@ -0,0 +1,39 @@
+From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:08:50 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+---
+ kio/misc/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301307..9ab360a0b5 100644
+--- kio/misc/kpac/script.cpp
++++ kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+             }
+         }
+
++        KUrl cleanUrl = url;
++        cleanUrl.setUserInfo(QString());
++        if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++            cleanUrl.setPath(QString());
++            cleanUrl.setQuery(QString());
++        }
++
+         QScriptValueList args;
+-        args << url.url();
+-        args << url.host();
++        args << cleanUrl.url();
++        args << cleanUrl.host();
+
+         QScriptValue result = func.call(QScriptValue(), args);
+         if (result.isError()) {
+--
+2.11.1
+
diff --git a/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake b/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake
deleted file mode 100644
index 2c25a58de6b4..000000000000
--- a/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake
+++ /dev/null
@@ -1,12 +0,0 @@
---- cmake/modules/FindHUNSPELL.cmake.orig	2015-06-26 03:14:18 UTC
-+++ cmake/modules/FindHUNSPELL.cmake
-@@ -14,7 +14,8 @@ ENDIF (HUNSPELL_INCLUDE_DIR AND HUNSPELL
- 
- FIND_PATH(HUNSPELL_INCLUDE_DIR hunspell/hunspell.hxx )
- 
--FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2)
-+FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.6
-+             hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2 hunspell)
- 
- # handle the QUIETLY and REQUIRED arguments and set HUNSPELL_FOUND to TRUE if 
- # all listed variables are TRUE
author	Tobias C. Berner <tcberner@FreeBSD.org>	2017-03-25 20:39:45 +0000
committer	Tobias C. Berner <tcberner@FreeBSD.org>	2017-03-25 20:39:45 +0000
commit	cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2 (patch)
tree	36a91309c34d1b48a254f2fa73a29e11368aa8f9
parent	c24e4019ac9ae0e03d338d05f10ee93e273d27ed (diff)
download	ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.tar.gz ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.zip