-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-10895: Remote code execution due to CSRF on the qute://settings page #4060
Comments
In ffc29ee (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac)
In ffc29ee (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac)
In ffc29ee (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac)
In ffc29ee (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac)
CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See the related GitHub issue for details. qutebrowser/qutebrowser#4060 Removing all prior versions due to the above. Package-Manager: Portage-2.3.40, Repoman-2.3.9
Fixes CVE-2018-10895, a CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See this GitHub issue for details: qutebrowser/qutebrowser#4060
I filed a Gentoo bug to get this bumped ASAP. |
@mschilli87 Those Gentoo bugs are probably not helpful, as the Gentoo maintainer is on the announce mailinglist as far as I know. In this case, the Gentoo package was already updated before you opened the bug... |
@The-Compiler yeah I just came back to edit my last comment. Somehow this slipped through a sync so I went ahead and filed it. Better safe then sorry I guess. But all is good now on my end. Sorry for the noise. 🙂 |
Change Log =========== v1.4.1 ------ Security ~~~~~~~~ - CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See the related GitHub issue for details: qutebrowser/qutebrowser#4060 Fixed ~~~~~ - Rare crash when an error occurs in downloads. - Newlines are now stripped from the :version pastebin URL. - There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an older Qt, which is needed on Ubuntu 16.04. - Worked around a Qt issue which redirects to a `chrome-error://` page when trying to use U2F. - The `link_pyqt.py` script now works correctly with PyQt 5.11. - The Windows installer now uninstalls the old version before installing the new one, fixing issues with qutebrowser not starting after installing v1.4.0 over v1.3.3.
Description
Due to a CSRF vulnerability affecting the
qute://settings
page, it waspossible for websites to modify qutebrowser settings. Via settings like
editor.command
, this possibly allowed websites to execute arbitrary code.This issue has been assigned CVE-2018-10895.
Affected versions
The issue was introduced in v1.0.0, as part of commit ffc29ee.
It was fixed in the v1.4.1 release, in commit 43e58ac.
All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
Backported patches are available, but no additional releases are planned:
v1.1.x: ff686ff (patch)
v1.2.x: c3361c3 (patch)
v1.3.x: c2ff32d (patch)
v1.4.x: 22148ce (patch)
master: 43e58ac (patch)
Timeline
2018-07-09: I was made aware of the original issue privately (initially
believed by the reporter to only be a DoS issue), developed a fix and contacted
the distros Openwall mailinglist to organize a disclosure date to give
distributions time to coordinate releasing of a fix.
2018-07-10: Slightly updated patch sent to the distros mailinglist.
2018-07-11: Public disclosure.
Mitigation
Please upgrade to v1.4.1 or apply the patches above.
Note that disabling loading of
autoconfig.yml
is not a suitable remedy, sincesettings are still applied until the next restart.
As a workaround, it's possible to patch out the vulnerable code via a
config.py
file:While there is no known exploit for this in the wild, users are advised to
check their
autoconfig.yml
file (located in the config folder shown in:version
) for any unwanted modifications.Credits
Thanks to:
Company for their assistance with triaging and fixing the issue.
properly.
The text was updated successfully, but these errors were encountered: