*** This bug is a security vulnerability *** Public security bug reported:
qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream. Details at upstream and OSS security: http://www.openwall.com/lists/oss-security/2018/07/11/7 https://github.com/qutebrowser/qutebrowser/issues/4060 Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0) Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1) Ubuntu is affected in Bionic (1.1.1-1) and Cosmic (1.4.0-1). ** Affects: qutebrowser (Ubuntu) Importance: Undecided Status: New ** Tags: bionic cosmic ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1781295 Title: CVE-2018-10895: Possible remote code execution via CSRF in qute://settings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qutebrowser/+bug/1781295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs