Summary: | <app-misc/anki-2.1.0_beta27: Embedded web browser used to display cards is not restricted | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | patrick, tech31842, xmw |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://anki.tenderapp.com/discussions/ankidesktop/15320-security-issues-with-the-anki-browser | ||
See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=1270803 https://bugs.gentoo.org/show_bug.cgi?id=620826 |
||
Whiteboard: | B2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-10-13 08:12:36 UTC
Does upstream know about this? I can't see any indication that somebody has reported it. (In reply to Thomas Kahle from comment #1) > Does upstream know about this? I can't see any indication that somebody has > reported it. reported upstream: https://anki.tenderapp.com/discussions/ankidesktop/15320-security-issues-with-the-anki-browser I have no account on Fedora bugzilla. It would be good if somebody could link it there too. https://anki.tenderapp.com/discussions/ankidesktop/15320-security-issues-with-the-anki-browser#comment_41757644 > This has been fixed in the alpha builds - we serve all media content over > a local socket and local file access is not allowed. I requested information about the first version introducing this change. i'm not 100% sure about the version, but going by the response, i think it's fixed in the 2.1.0 series (which hasn't had a non-alpha release yet) Posted on their system ______________________________ Any chance you can pull this in to the main line build 2.0.X to fix the security problem. As I do not know your plans, but 2.1.X is probably not going to go live for some time and it is a good idea to fix a security bug that has been around since 2015. Ok got a reply: There are some problems preventing this I'm afraid. Some users use file:// URLs in their collections, and I'm not sure we should be breaking that functionality in a point release. And as mentioned in a post above, it doesn't seem to be possible to control local file access in conjunction with setHtml() - the alphas are relying on the fact that WebEngine behaves differently to WebKit when local HTML is injected. ______________________________ So I guess we are stuck waiting for alpha to become production, unless you would like to do something else. (In reply to SpanKY from comment #4) > i'm not 100% sure about the version, but going by the response, i think it's > fixed in the 2.1.0 series (which hasn't had a non-alpha release yet) 2.1.0_beta27 is in ::gentoo now and <2.1 is masked for removal due Qt4, so this one will go away. Package is unstable now. |