CVE-2018-10895: Possible remote code execution via CSRF in qute://settings

Bug #1781295 reported by Axel Beckert on 2018-07-11
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qutebrowser (Ubuntu)
Medium
Unassigned
Bionic
Medium
Simon Quigley

Bug Description

qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream.

Details at upstream and OSS security:

http://www.openwall.com/lists/oss-security/2018/07/11/7
https://github.com/qutebrowser/qutebrowser/issues/4060
Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0)
Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1)

Ubuntu is affected in Bionic (1.1.1-1) and Cosmic (1.4.0-1).

CVE References

Axel Beckert (xtaran) on 2018-07-11
information type: Private Security → Public Security
Axel Beckert (xtaran) wrote :

Meh, can't link this bug report to a CVE report as Launchpad claims that "CVE-2018-10895 is not a valid CVE number". But it obviously is.

Axel Beckert (xtaran) wrote :

Ok, since half an hour, Cosmic is fixed, probably due to the automatic sync from Debian Unstable.

tags: removed: cosmic
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qutebrowser (Ubuntu):
status: New → Confirmed
Axel Beckert (xtaran) on 2018-07-19
tags: added: community-security
Simon Quigley (tsimonq2) on 2018-07-19
Changed in qutebrowser (Ubuntu Bionic):
status: New → In Progress
Changed in qutebrowser (Ubuntu):
importance: Undecided → Medium
Changed in qutebrowser (Ubuntu Bionic):
importance: Undecided → Medium
Changed in qutebrowser (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu Bionic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu):
assignee: Simon Quigley (tsimonq2) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qutebrowser - 1.1.1-1ubuntu0.1

---------------
qutebrowser (1.1.1-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Remote code execution due to CSRF on the qute://settings
    page (LP: #1781295):
    - fix-CVE-2018-10895.patch
    - CVE-2018-10895
  * Add a build dependency on dh-python, fixing the FTBFS.

 -- Simon Quigley <email address hidden> Wed, 18 Jul 2018 19:24:09 -0500

Changed in qutebrowser (Ubuntu Bionic):
status: In Progress → Fix Released
Simon Quigley (tsimonq2) on 2018-07-19
Changed in qutebrowser (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers