Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Jul 2018 17:34:31 +0200
From: Florian Bruhin <me@...-compiler.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-10895: Remote code execution due to CSRF in qutebrowser

Description
-----------

Due to a CSRF vulnerability affecting the `qute://settings` page, it was
possible for websites to modify qutebrowser settings. Via settings like
`editor.command`, this possibly allowed websites to execute arbitrary code.

This issue has been assigned CVE-2018-10895:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10895

Affected versions
-----------------

The issue was introduced in v1.0.0, as part of commit ffc29ee.
https://github.com/qutebrowser/qutebrowser/commit/ffc29ee

It was fixed in the v1.4.1 release, in commit 43e58ac.
https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660

All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
Backported patches are available, but no additional releases are planned:

v1.1.x: https://github.com/qutebrowser/qutebrowser/commit/ff686ff7f395d83e5ac48507ecfae0b0e97a61ef
v1.2.x: https://github.com/qutebrowser/qutebrowser/commit/c3361c31b370140f323e481dd455450b1e74c099
v1.3.x: https://github.com/qutebrowser/qutebrowser/commit/c2ff32d92ba9bf40ff53498ee04a4124d4993c85
v1.4.x: https://github.com/qutebrowser/qutebrowser/commit/22148ce488da52e8a0e01ed937c0cfdb24d34775
master: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660

(add .patch to the URL to get patches)

Timeline
--------

2018-07-09: I was made aware of the original issue privately (initially
believed by the reporter to only be a DoS issue), developed a fix and contacted
the distros Openwall mailinglist to organize a disclosure date to give
distributions time to coordinate releasing of a fix.

2018-07-10: Slightly updated patch sent to the distros mailinglist.

2018-07-11: Public disclosure.

Mitigation
----------

Please upgrade to v1.4.1 or apply the patches above.

Note that disabling loading of `autoconfig.yml` is not a suitable remedy, since
settings are still applied until the next restart.

As a workaround, it's possible to patch out the vulnerable code via a
`config.py` file:

    from qutebrowser.browser import qutescheme
    qutescheme._qute_settings_set = lambda url: ('text/html', '')

While there is no known exploit for this in the wild, users are advised to
check their `autoconfig.yml` file (located in the config folder shown in
`:version`) for any unwanted modifications.

Credits
-------

Thanks to:

- toofar for reporting the initial issue.
- Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt
  Company for their assistance with triaging and fixing the issue.
- toofar and Jay Kamat (jgkamat) for reviewing the patch.
- Morten Linderud (Foxboron) for suggestions on how to disclose this
  properly.

Links
-----

- https://github.com/qutebrowser/qutebrowser/issues/4060
- https://lists.schokokeks.org/pipermail/qutebrowser-announce/2018-July/000048.html

-- 
https://www.qutebrowser.org | me@...-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
         I love long mails! | https://email.is-not-s.ms/

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.