CVE-2018-10895: Remote code execution due to CSRF in qutebrowser

Description

Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code.

This issue has been assigned CVE-2018-10895.

Affected versions

The issue was introduced in v1.0.0, as part of commit ffc29ee.

It was fixed in the v1.4.1 release, in commit 43e58ac.

All releases between v1.0.0 and v1.4.0 (inclusive) are affected. Backported patches are available, but no additional releases are planned:

(add .patch to the URL to get patches)

Timeline

2018-07-09: I was made aware of the original issue privately (initially believed by the reporter to only be a DoS issue), developed a fix and contacted the distros Openwall mailinglist to organize a disclosure date to give distributions time to coordinate releasing of a fix.

2018-07-10: Slightly updated patch sent to the distros mailinglist.

2018-07-11: Public disclosure.

Mitigation

Please upgrade to v1.4.1 or apply the patches above.

Note that disabling loading of autoconfig.yml is not a suitable remedy, since settings are still applied until the next restart.

As a workaround, it's possible to patch out the vulnerable code via a config.py file:

from qutebrowser.browser import qutescheme
qutescheme._qute_settings_set = lambda url: ('text/html', '')

While there is no known exploit for this in the wild, users are advised to check their autoconfig.yml file (located in the config folder shown in :version) for any unwanted modifications.

Credits

Thanks to:

  • toofar for reporting the initial issue.
  • Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt Company for their assistance with triaging and fixing the issue.
  • toofar and Jay Kamat (jgkamat) for reviewing the patch.
  • Morten Linderud (Foxboron) for suggestions on how to disclose this properly.

All posts

  1. qutebrowser v1.3.3 released (security update!)
  2. qutebrowser v1.2.0 released!
  3. T-Shirts shipped, initial implementation of per-domain settings
  4. Current state of per-domain settings
  5. qutebrowser v1.0.0 released!
  6. qutebrowser v1.0.0 is coming closer
  7. New config merged!
  8. Config revolution - Part 1 finished
  9. Refactoring more things, a working YAML config, and more!
  10. Refactoring all the things!
  11. First week
  12. First 2 days
  13. Getting started again
  14. Second qutebrowser crowdfunding launched!
  15. qutebrowser v0.10.0 released
  16. Wrapping up and looking at the future
  17. Days 39/40/41: Lots of features!
  18. Days 37/38: Hints in master, tests
  19. Day 36: Hints!
  20. Days 33-35: Mouse functionality, and rewriting hints
  21. Days 31/32: More web elements
  22. Days 29/30: Web elements
  23. Days 27/28: Settings and web inspector
  24. Day 24-26: Refactoring the WebElement API
  25. Day 21-23: After Europython and releases
  26. Day 19/20: Bugs everywhere!
  27. qutebrowser v0.8.0 released
  28. Day 18: Javascript
  29. Day 17: Printing and searching
  30. Sending out qutebrowser and pytest stickers
  31. Day 15/16: Merged!
  32. Day 13/14: Almost merged!
  33. Day 12: Tests running!
  34. Day 10/11: Refactoring!
  35. Day 9: A bit of everything
  36. Day 8: More fixing and pytest sprint/training
  37. Day 7: Fixing things
  38. Day 6: Branching off
  39. qutebrowser v0.7.0 released
  40. Day 4: Playing whack-a-mole
  41. Day 3: Last pull requests and managing requirement files
  42. Day 2: More pull requests and nicer test output
  43. Day 1: Merging pull requests, and a stupid bug
  44. About and Timeline