~ruther/guix-local

c35745edc4e78defba4a82e32974d729cf159c34 — Leo Famulari 9 years ago 5e0535a 
gnu: kio: Fix CVE-2017-6410.

* gnu/packages/patches/kio-CVE-2017-6410.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kde-frameworks.scm (kio)[source]: Use it.
patch browse .tar.gz 
3 files changed, 55 insertions(+), 0 deletions(-)

M gnu/local.mk
M gnu/packages/kde-frameworks.scm
A gnu/packages/patches/kio-CVE-2017-6410.patch

M gnu/local.mk => gnu/local.mk +1 -0
@@ 648,6 648,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/jq-CVE-2015-8863.patch			\
  %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
  %D%/packages/patches/khmer-use-libraries.patch                \
  %D%/packages/patches/kio-CVE-2017-6410.patch			\
  %D%/packages/patches/kmod-module-directory.patch		\
  %D%/packages/patches/kobodeluxe-paths.patch			\
  %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch	\


M gnu/packages/kde-frameworks.scm => gnu/packages/kde-frameworks.scm +1 -0
@@ 2206,6 2206,7 @@ makes starting KDE applications faster and reduces memory consumption.")
                    "mirror://kde/stable/frameworks/"
                    (version-major+minor version) "/"
                    name "-" version ".tar.xz"))
              (patches (search-patches "kio-CVE-2017-6410.patch"))
              (sha256
               (base32
                "1hqc88c2idi9fkb7jy82csb0i740lghv0p2fg1gaglcarjdz7nia"))))


A gnu/packages/patches/kio-CVE-2017-6410.patch => gnu/packages/patches/kio-CVE-2017-6410.patch +53 -0
@@ 0,0 1,53 @@
Fix CVE-2017-6410, "Information Leak when accessing https when using a
malicious PAC file":

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
https://www.kde.org/info/security/advisory-20170228-1.txt

Patch copied from upstream source repository:

https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4

From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 28 Feb 2017 19:00:48 +0100
Subject: Sanitize URLs before passing them to FindProxyForURL

Remove user/password information
For https: remove path and query

Thanks to safebreach.com for reporting the problem

CCMAIL: yoni.fridburg@safebreach.com
CCMAIL: amit.klein@safebreach.com
CCMAIL: itzik.kotler@safebreach.com
---
 src/kpac/script.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index a0235f7..2485c54 100644
--- a/src/kpac/script.cpp
+++ b/src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
         }
     }
 
+    QUrl cleanUrl = url;
+    cleanUrl.setUserInfo(QString());
+    if (cleanUrl.scheme() == QLatin1String("https")) {
+        cleanUrl.setPath(QString());
+        cleanUrl.setQuery(QString());
+    }
+
     QScriptValueList args;
-    args << url.url();
-    args << url.host();
+    args << cleanUrl.url();
+    args << cleanUrl.host();
 
     QScriptValue result = func.call(QScriptValue(), args);
     if (result.isError()) {
-- 
cgit v0.11.2