Ubuntu
qutebrowser package

CVE-2018-10895: Possible remote code execution via CSRF in qute://settings

Bug #1781295 reported by Axel Beckert
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qutebrowser (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Simon Quigley

Bug Description

qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream.

Details at upstream and OSS security:

http://www.openwall.com/lists/oss-security/2018/07/11/7
https://github.com/qutebrowser/qutebrowser/issues/4060
Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0)
Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1)

Ubuntu is affected in Bionic (1.1.1-1) and Cosmic (1.4.0-1).

CVE References

Axel Beckert (xtaran)
information type: Private Security → Public Security
Revision history for this message
Axel Beckert (xtaran) wrote :

Meh, can't link this bug report to a CVE report as Launchpad claims that "CVE-2018-10895 is not a valid CVE number". But it obviously is.

Revision history for this message
Axel Beckert (xtaran) wrote :

Ok, since half an hour, Cosmic is fixed, probably due to the automatic sync from Debian Unstable.

tags: removed: cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qutebrowser (Ubuntu):
status: New → Confirmed
Axel Beckert (xtaran)
tags: added: community-security
Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu Bionic):
status: New → In Progress
Changed in qutebrowser (Ubuntu):
importance: Undecided → Medium
Changed in qutebrowser (Ubuntu Bionic):
importance: Undecided → Medium
Changed in qutebrowser (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu Bionic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu):
assignee: Simon Quigley (tsimonq2) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qutebrowser - 1.1.1-1ubuntu0.1

---------------
qutebrowser (1.1.1-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Remote code execution due to CSRF on the qute://settings
    page (LP: #1781295):
    - fix-CVE-2018-10895.patch
    - CVE-2018-10895
  * Add a build dependency on dh-python, fixing the FTBFS.

 -- Simon Quigley <email address hidden> Wed, 18 Jul 2018 19:24:09 -0500

Changed in qutebrowser (Ubuntu Bionic):
status: In Progress → Fix Released
Simon Quigley (tsimonq2)
Changed in qutebrowser (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.