CVE-2018-10895: Possible remote code execution via CSRF in qute://settings

Bug #1781295 reported by Axel Beckert on 2018-07-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qutebrowser (Ubuntu)
Undecided
Unassigned

Bug Description

qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream.

Details at upstream and OSS security:

http://www.openwall.com/lists/oss-security/2018/07/11/7
https://github.com/qutebrowser/qutebrowser/issues/4060
Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0)
Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1)

Ubuntu is affected in Bionic (1.1.1-1) and Cosmic (1.4.0-1).

CVE References

Axel Beckert (xtaran) on 2018-07-11
information type: Private Security → Public Security
Axel Beckert (xtaran) wrote :

Meh, can't link this bug report to a CVE report as Launchpad claims that "CVE-2018-10895 is not a valid CVE number". But it obviously is.

Axel Beckert (xtaran) wrote :

Ok, since half an hour, Cosmic is fixed, probably due to the automatic sync from Debian Unstable.

tags: removed: cosmic
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers