[qutebrowser-announce] CVE-2018-10895: Remote code execution due to CSRF in qutebrowser

Description ----------- Due to a CSRF vulnerability affecting the `qute://settings` page, it was possible for websites to modify qutebrowser settings. Via settings like `editor.command`, this possibly allowed websites to execute arbitrary code. This issue has been assigned CVE-2018-10895: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10895 Affected versions ----------------- The issue was introduced in v1.0.0, as part of commit ffc29ee. https://github.com/qutebrowser/qutebrowser/commit/ffc29ee It was fixed in the v1.4.1 release, in commit 43e58ac. https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 All releases between v1.0.0 and v1.4.0 (inclusive) are affected. Backported patches are available, but no additional releases are planned: v1.1.x: https://github.com/qutebrowser/qutebrowser/commit/ff686ff7f395d83e5ac48507ecfae0b0e97a61ef v1.2.x: https://github.com/qutebrowser/qutebrowser/commit/c3361c31b370140f323e481dd455450b1e74c099 v1.3.x: https://github.com/qutebrowser/qutebrowser/commit/c2ff32d92ba9bf40ff53498ee04a4124d4993c85 v1.4.x: https://github.com/qutebrowser/qutebrowser/commit/22148ce488da52e8a0e01ed937c0cfdb24d34775 master: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (add .patch to the URL to get patches) Timeline -------- 2018-07-09: I was made aware of the original issue privately (initially believed by the reporter to only be a DoS issue), developed a fix and contacted the distros Openwall mailinglist to organize a disclosure date to give distributions time to coordinate releasing of a fix. 2018-07-10: Slightly updated patch sent to the distros mailinglist. 2018-07-11: Public disclosure. Mitigation ---------- Please upgrade to v1.4.1 or apply the patches above. Note that disabling loading of `autoconfig.yml` is not a suitable remedy, since settings are still applied until the next restart. As a workaround, it's possible to patch out the vulnerable code via a `config.py` file: from qutebrowser.browser import qutescheme qutescheme._qute_settings_set = lambda url: ('text/html', '') While there is no known exploit for this in the wild, users are advised to check their `autoconfig.yml` file (located in the config folder shown in `:version`) for any unwanted modifications. Credits ------- Thanks to: - toofar for reporting the initial issue. - Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt Company for their assistance with triaging and fixing the issue. - toofar and Jay Kamat (jgkamat) for reviewing the patch. - Morten Linderud (Foxboron) for suggestions on how to disclose this properly. Links ----- - https://github.com/qutebrowser/qutebrowser/issues/4060 -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <https://lists.schokokeks.org/pipermail/qutebrowser-announce/attachments/20180711/f4bd146e/attachment.asc>