[qutebrowser-announce] CVE-2018-10895: Remote code execution due to CSRF in qutebrowser

Wed Jul 11 17:28:58 CEST 2018

Description
-----------

Due to a CSRF vulnerability affecting the `qute://settings` page, it was
possible for websites to modify qutebrowser settings. Via settings like
`editor.command`, this possibly allowed websites to execute arbitrary code.

This issue has been assigned CVE-2018-10895:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10895

Affected versions
-----------------

The issue was introduced in v1.0.0, as part of commit ffc29ee.
https://github.com/qutebrowser/qutebrowser/commit/ffc29ee

It was fixed in the v1.4.1 release, in commit 43e58ac.
https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660

All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
Backported patches are available, but no additional releases are planned:

v1.1.x: https://github.com/qutebrowser/qutebrowser/commit/ff686ff7f395d83e5ac48507ecfae0b0e97a61ef
v1.2.x: https://github.com/qutebrowser/qutebrowser/commit/c3361c31b370140f323e481dd455450b1e74c099
v1.3.x: https://github.com/qutebrowser/qutebrowser/commit/c2ff32d92ba9bf40ff53498ee04a4124d4993c85
v1.4.x: https://github.com/qutebrowser/qutebrowser/commit/22148ce488da52e8a0e01ed937c0cfdb24d34775
master: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660

(add .patch to the URL to get patches)

Timeline
--------

2018-07-09: I was made aware of the original issue privately (initially
believed by the reporter to only be a DoS issue), developed a fix and contacted
the distros Openwall mailinglist to organize a disclosure date to give
distributions time to coordinate releasing of a fix.

2018-07-10: Slightly updated patch sent to the distros mailinglist.

2018-07-11: Public disclosure.

Mitigation
----------

Please upgrade to v1.4.1 or apply the patches above.

Note that disabling loading of `autoconfig.yml` is not a suitable remedy, since
settings are still applied until the next restart.

As a workaround, it's possible to patch out the vulnerable code via a
`config.py` file:

    from qutebrowser.browser import qutescheme
    qutescheme._qute_settings_set = lambda url: ('text/html', '')
While there is no known exploit for this in the wild, users are advised to
check their `autoconfig.yml` file (located in the config folder shown in
`:version`) for any unwanted modifications.

Credits
-------

Thanks to:

- toofar for reporting the initial issue.
- Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt
  Company for their assistance with triaging and fixing the issue.
- toofar and Jay Kamat (jgkamat) for reviewing the patch.
- Morten Linderud (Foxboron) for suggestions on how to disclose this
  properly.

Links
-----

- https://github.com/qutebrowser/qutebrowser/issues/4060

-- 
https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
         I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser-announce/attachments/20180711/f4bd146e/attachment.asc>