diff options
author | Tobias C. Berner <tcberner@FreeBSD.org> | 2017-03-25 20:39:45 +0000 |
---|---|---|
committer | Tobias C. Berner <tcberner@FreeBSD.org> | 2017-03-25 20:39:45 +0000 |
commit | cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2 (patch) | |
tree | 36a91309c34d1b48a254f2fa73a29e11368aa8f9 | |
parent | c24e4019ac9ae0e03d338d05f10ee93e273d27ed (diff) | |
download | ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.tar.gz ports-cd1bd1304605b7ea3b2ec385a8dbb92f3c5623e2.zip |
MFH: r435896 r431563
Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow ``Detect Proxy Configuration Automatically''
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Reviewed by: mat, rakuco
Approved by: rakuco (mentor), mat (mentor)
Obtained from: https://marc.info/?l=kde-announce&m=148831226706885&w=2
Security: CVE-2017-6410
Differential Revision: https://reviews.freebsd.org/D9908
Centralize all cmake/modules/FindHUNSPELL.cmake patches in one file.
While here, note that the addition of hunspell-1.6 was done upstream too.
Approved by: ports-secteam (junovitch), rakuco (mentor)
Notes
Notes:
svn path=/branches/2017Q1/; revision=436915
-rw-r--r-- | devel/kf5-kio/Makefile | 1 | ||||
-rw-r--r-- | devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 | 43 | ||||
-rw-r--r-- | x11/kdelibs4/Makefile | 2 | ||||
-rw-r--r-- | x11/kdelibs4/files/patch-cmake_modules_FindHUNSPELL.cmake (renamed from x11/kdelibs4/files/patch-git_2ab2745) | 10 | ||||
-rw-r--r-- | x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 | 39 | ||||
-rw-r--r-- | x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake | 12 |
6 files changed, 93 insertions, 14 deletions
diff --git a/devel/kf5-kio/Makefile b/devel/kf5-kio/Makefile index fe4383568c2a..b89feb9c3a90 100644 --- a/devel/kf5-kio/Makefile +++ b/devel/kf5-kio/Makefile @@ -3,6 +3,7 @@ PORTNAME= kio PORTVERSION= ${KDE_FRAMEWORKS_VERSION} +PORTREVISION= 1 CATEGORIES= devel kde kde-frameworks MAINTAINER= kde@FreeBSD.org diff --git a/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 b/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 new file mode 100644 index 000000000000..77703a9d3a0c --- /dev/null +++ b/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 @@ -0,0 +1,43 @@ +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 28 Feb 2017 19:00:48 +0100 +Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL + +Remove user/password information +For https: remove path and query + +Thanks to safebreach.com for reporting the problem + +CCMAIL: yoni.fridburg@safebreach.com +CCMAIL: amit.klein@safebreach.com +CCMAIL: itzik.kotler@safebreach.com +--- + src/kpac/script.cpp | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp +index a0235f73..2485c54d 100644 +--- src/kpac/script.cpp ++++ src/kpac/script.cpp +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) + } + } + ++ QUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { +-- +2.11.1 + diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile index 110110469763..61f6bd85a567 100644 --- a/x11/kdelibs4/Makefile +++ b/x11/kdelibs4/Makefile @@ -3,7 +3,7 @@ PORTNAME= kdelibs PORTVERSION= ${KDE4_KDELIBS_VERSION} -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= x11 kde MASTER_SITES= KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src DIST_SUBDIR= KDE/${PORTVERSION} diff --git a/x11/kdelibs4/files/patch-git_2ab2745 b/x11/kdelibs4/files/patch-cmake_modules_FindHUNSPELL.cmake index 469935807af3..6853675ab016 100644 --- a/x11/kdelibs4/files/patch-git_2ab2745 +++ b/x11/kdelibs4/files/patch-cmake_modules_FindHUNSPELL.cmake @@ -1,3 +1,11 @@ +Includes the following two upstream commits: + +commit c828f8592fcfd6c2a66ebc18a826de38d6a2fef2 +Author: Pino Toscano <pino@kde.org> +Date: Sat Dec 31 12:08:59 2016 +0100 + + cmake: look for hunspell-1.6 as well + commit 2ab2745eb01f73355c490ac8d5d1837dec84fd6c Author: Wolfgang Bauer <wbauer@tmo.at> Date: Thu Oct 20 15:51:29 2016 +0200 @@ -13,7 +21,7 @@ Date: Thu Oct 20 15:51:29 2016 +0200 FIND_PATH(HUNSPELL_INCLUDE_DIR hunspell/hunspell.hxx ) -FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-1.3 hunspell-1.2) -+FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2) ++FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.6 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2) # handle the QUIETLY and REQUIRED arguments and set HUNSPELL_FOUND to TRUE if # all listed variables are TRUE diff --git a/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 b/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 new file mode 100644 index 000000000000..99bb4b6146d9 --- /dev/null +++ b/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 @@ -0,0 +1,39 @@ +From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 28 Feb 2017 19:08:50 +0100 +Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL + +Remove user/password information +For https: remove path and query + +Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 +--- + kio/misc/kpac/script.cpp | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp +index a595301307..9ab360a0b5 100644 +--- kio/misc/kpac/script.cpp ++++ kio/misc/kpac/script.cpp +@@ -754,9 +754,16 @@ namespace KPAC + } + } + ++ KUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme().toLower() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { +-- +2.11.1 + diff --git a/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake b/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake deleted file mode 100644 index 2c25a58de6b4..000000000000 --- a/x11/kdelibs4/files/patch-z-cmake_modules_FindHUNSPELL.cmake +++ /dev/null @@ -1,12 +0,0 @@ ---- cmake/modules/FindHUNSPELL.cmake.orig 2015-06-26 03:14:18 UTC -+++ cmake/modules/FindHUNSPELL.cmake -@@ -14,7 +14,8 @@ ENDIF (HUNSPELL_INCLUDE_DIR AND HUNSPELL - - FIND_PATH(HUNSPELL_INCLUDE_DIR hunspell/hunspell.hxx ) - --FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2) -+FIND_LIBRARY(HUNSPELL_LIBRARIES NAMES hunspell-2.0 hunspell-1.6 -+ hunspell-1.5 hunspell-1.4 hunspell-1.3 hunspell-1.2 hunspell) - - # handle the QUIETLY and REQUIRED arguments and set HUNSPELL_FOUND to TRUE if - # all listed variables are TRUE |