From owner-svn-ports-all@freebsd.org  Sat Mar 11 10:28:38 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F316FD05EF0;
 Sat, 11 Mar 2017 10:28:38 +0000 (UTC)
 (envelope-from tcberner@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B305C1FDE;
 Sat, 11 Mar 2017 10:28:38 +0000 (UTC)
 (envelope-from tcberner@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2BASbl1087636;
 Sat, 11 Mar 2017 10:28:37 GMT (envelope-from tcberner@FreeBSD.org)
Received: (from tcberner@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2BASb0A087632;
 Sat, 11 Mar 2017 10:28:37 GMT (envelope-from tcberner@FreeBSD.org)
Message-Id: <201703111028.v2BASb0A087632@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tcberner set sender to
 tcberner@FreeBSD.org using -f
From: "Tobias C. Berner" <tcberner@FreeBSD.org>
Date: Sat, 11 Mar 2017 10:28:37 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r435896 - in head: devel/kf5-kio devel/kf5-kio/files
 x11/kdelibs4 x11/kdelibs4/files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 10:28:39 -0000

Author: tcberner
Date: Sat Mar 11 10:28:37 2017
New Revision: 435896
URL: https://svnweb.freebsd.org/changeset/ports/435896

Log:
  Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4
  
  Using a malicious PAC file, and then using exfiltration methods in the PAC
  function FindProxyForURL() enables the attacker to expose full https URLs.
  
  This is a security issue since https URLs may contain sensitive
  information in the URL authentication part (user:password@host), and in the
  path and the query (e.g. access tokens).
  
  This attack can be carried out remotely (over the LAN) since proxy settings
  allow ``Detect Proxy Configuration Automatically''
  This setting uses WPAD to retrieve the PAC file, and an attacker who has access
  to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
  and inject his/her own malicious PAC instead of the legitimate one.
  
  Reviewed by:	mat, rakuco
  Approved by:	rakuco (mentor), mat (mentor)
  Obtained from:	https://marc.info/?l=kde-announce&m=148831226706885&w=2
  MFH:		2017Q1
  Security:	CVE-2017-6410
  Differential Revision:	https://reviews.freebsd.org/D9908

Added:
  head/devel/kf5-kio/files/
  head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410   (contents, props changed)
  head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410   (contents, props changed)
Modified:
  head/devel/kf5-kio/Makefile
  head/x11/kdelibs4/Makefile

Modified: head/devel/kf5-kio/Makefile
==============================================================================
--- head/devel/kf5-kio/Makefile	Sat Mar 11 10:28:22 2017	(r435895)
+++ head/devel/kf5-kio/Makefile	Sat Mar 11 10:28:37 2017	(r435896)
@@ -3,6 +3,7 @@
 
 PORTNAME=	kio
 PORTVERSION=	${KDE_FRAMEWORKS_VERSION}
+PORTREVISION=	1
 CATEGORIES=	devel kde kde-frameworks
 
 MAINTAINER=	kde@FreeBSD.org

Added: head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410	Sat Mar 11 10:28:37 2017	(r435896)
@@ -0,0 +1,43 @@
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f73..2485c54d 100644
+--- src/kpac/script.cpp
++++ src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+         }
+     }
+
++    QUrl cleanUrl = url;
++    cleanUrl.setUserInfo(QString());
++    if (cleanUrl.scheme() == QLatin1String("https")) {
++        cleanUrl.setPath(QString());
++        cleanUrl.setQuery(QString());
++    }
++
+     QScriptValueList args;
+-    args << url.url();
+-    args << url.host();
++    args << cleanUrl.url();
++    args << cleanUrl.host();
+
+     QScriptValue result = func.call(QScriptValue(), args);
+     if (result.isError()) {
+--
+2.11.1
+

Modified: head/x11/kdelibs4/Makefile
==============================================================================
--- head/x11/kdelibs4/Makefile	Sat Mar 11 10:28:22 2017	(r435895)
+++ head/x11/kdelibs4/Makefile	Sat Mar 11 10:28:37 2017	(r435896)
@@ -3,7 +3,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_KDELIBS_VERSION}
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	x11 kde
 MASTER_SITES=   KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src
 DIST_SUBDIR=	KDE/${PORTVERSION}

Added: head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410	Sat Mar 11 10:28:37 2017	(r435896)
@@ -0,0 +1,39 @@
+From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:08:50 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+---
+ kio/misc/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301307..9ab360a0b5 100644
+--- kio/misc/kpac/script.cpp
++++ kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+             }
+         }
+
++        KUrl cleanUrl = url;
++        cleanUrl.setUserInfo(QString());
++        if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++            cleanUrl.setPath(QString());
++            cleanUrl.setQuery(QString());
++        }
++
+         QScriptValueList args;
+-        args << url.url();
+-        args << url.host();
++        args << cleanUrl.url();
++        args << cleanUrl.host();
+
+         QScriptValue result = func.call(QScriptValue(), args);
+         if (result.isError()) {
+--
+2.11.1
+