qutebrowser v1.3.3 released (security update!)

I've just released qutebrowser v1.3.3, which fixes an XSS vulnerability on the qute://history page (:history).

qutebrowser is a keyboard driven browser with a vim-like, minimalistic interface. It's written using PyQt and cross-platform.

The vulnerability allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history.

If you're currently unable to upgrade, avoid using :history.

A CVE request for this issue is pending, see the relevant issue for updates: https://github.com/qutebrowser/qutebrowser/issues/4011

The issue was introduced in March 2017 and part of the v0.11.0 release: https://github.com/qutebrowser/qutebrowser/commit/845f21b275bf438eccd7854f7f5401233ec6719a https://github.com/qutebrowser/qutebrowser/commit/1179ee7a937fb31414d77d9970bac21095358449

The patch applies cleanly to v1.2.x and v1.1.x (but I do not plan to do any updated releases of those): https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f.patch

It does not apply to v1.0.x and v0.11.x. If you need a backport, please let me know, but especially on v0.11.x you'll probably have a lot of other security issues due to an outdated QtWebKit anyways.

I plan to release v1.4.0 later this week (once PyQt 5.11 is out), but since the bug was opened publicly, I decided to do an immediate bugfix release. As a reminder, for security-relevant bugs, please contact me directly at mail at qutebrowser.org.

Other bugfixes in this release:

  • Crash in a workaround for a Qt 5.11 bug in rare circumstances.
  • Workaround for a Qt bug which preserves searches between page loads.
  • In v1.3.2 a dependency on the PyQt5.QtQuickWidgets module was accidentally introduced. Since that module isn't packaged everywhere, it's been removed again.

Sorry for the trouble!

All posts

  1. qutebrowser v1.2.0 released!
  2. T-Shirts shipped, initial implementation of per-domain settings
  3. Current state of per-domain settings
  4. qutebrowser v1.0.0 released!
  5. qutebrowser v1.0.0 is coming closer
  6. New config merged!
  7. Config revolution - Part 1 finished
  8. Refactoring more things, a working YAML config, and more!
  9. Refactoring all the things!
  10. First week
  11. First 2 days
  12. Getting started again
  13. Second qutebrowser crowdfunding launched!
  14. qutebrowser v0.10.0 released
  15. Wrapping up and looking at the future
  16. Days 39/40/41: Lots of features!
  17. Days 37/38: Hints in master, tests
  18. Day 36: Hints!
  19. Days 33-35: Mouse functionality, and rewriting hints
  20. Days 31/32: More web elements
  21. Days 29/30: Web elements
  22. Days 27/28: Settings and web inspector
  23. Day 24-26: Refactoring the WebElement API
  24. Day 21-23: After Europython and releases
  25. Day 19/20: Bugs everywhere!
  26. qutebrowser v0.8.0 released
  27. Day 18: Javascript
  28. Day 17: Printing and searching
  29. Sending out qutebrowser and pytest stickers
  30. Day 15/16: Merged!
  31. Day 13/14: Almost merged!
  32. Day 12: Tests running!
  33. Day 10/11: Refactoring!
  34. Day 9: A bit of everything
  35. Day 8: More fixing and pytest sprint/training
  36. Day 7: Fixing things
  37. Day 6: Branching off
  38. qutebrowser v0.7.0 released
  39. Day 4: Playing whack-a-mole
  40. Day 3: Last pull requests and managing requirement files
  41. Day 2: More pull requests and nicer test output
  42. Day 1: Merging pull requests, and a stupid bug
  43. About and Timeline