Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code.
This issue has been assigned CVE-2018-10895.
The issue was introduced in v1.0.0, as part of commit ffc29ee.
It was fixed in the v1.4.1 release, in commit 43e58ac.
All releases between v1.0.0 and v1.4.0 (inclusive) are affected. Backported patches are available, but no additional releases are planned:
(add .patch to the URL to get patches)
2018-07-09: I was made aware of the original issue privately (initially believed by the reporter to only be a DoS issue), developed a fix and contacted the distros Openwall mailinglist to organize a disclosure date to give distributions time to coordinate releasing of a fix.
2018-07-10: Slightly updated patch sent to the distros mailinglist.
2018-07-11: Public disclosure.
Please upgrade to v1.4.1 or apply the patches above.
Note that disabling loading of autoconfig.yml is not a suitable remedy, since settings are still applied until the next restart.
As a workaround, it's possible to patch out the vulnerable code via a config.py file:
from qutebrowser.browser import qutescheme qutescheme._qute_settings_set = lambda url: ('text/html', '')
While there is no known exploit for this in the wild, users are advised to check their autoconfig.yml file (located in the config folder shown in :version) for any unwanted modifications.
- toofar for reporting the initial issue.
- Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt Company for their assistance with triaging and fixing the issue.
- toofar and Jay Kamat (jgkamat) for reviewing the patch.
- Morten Linderud (Foxboron) for suggestions on how to disclose this properly.
- qutebrowser v1.3.3 released (security update!)
- qutebrowser v1.2.0 released!
- T-Shirts shipped, initial implementation of per-domain settings
- Current state of per-domain settings
- qutebrowser v1.0.0 released!
- qutebrowser v1.0.0 is coming closer
- New config merged!
- Config revolution - Part 1 finished
- Refactoring more things, a working YAML config, and more!
- Refactoring all the things!
- First week
- First 2 days
- Getting started again
- Second qutebrowser crowdfunding launched!
- qutebrowser v0.10.0 released
- Wrapping up and looking at the future
- Days 39/40/41: Lots of features!
- Days 37/38: Hints in master, tests
- Day 36: Hints!
- Days 33-35: Mouse functionality, and rewriting hints
- Days 31/32: More web elements
- Days 29/30: Web elements
- Days 27/28: Settings and web inspector
- Day 24-26: Refactoring the WebElement API
- Day 21-23: After Europython and releases
- Day 19/20: Bugs everywhere!
- qutebrowser v0.8.0 released
- Day 17: Printing and searching
- Sending out qutebrowser and pytest stickers
- Day 15/16: Merged!
- Day 13/14: Almost merged!
- Day 12: Tests running!
- Day 10/11: Refactoring!
- Day 9: A bit of everything
- Day 8: More fixing and pytest sprint/training
- Day 7: Fixing things
- Day 6: Branching off
- qutebrowser v0.7.0 released
- Day 4: Playing whack-a-mole
- Day 3: Last pull requests and managing requirement files
- Day 2: More pull requests and nicer test output
- Day 1: Merging pull requests, and a stupid bug
- About and Timeline