Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 721564 (CVE-2020-11054)

Summary: www-client/qutebrowser: TLS status bar weakness (CVE-2020-11054)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: gentoo.org, guillaumeseren, proxy-maint, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
See Also: https://github.com/gentoo/gentoo/pull/15690
Whiteboard: ~4 [cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-07 23:02:04 UTC 
CVE-2020-11054 (https://nvd.nist.gov/vuln/detail/CVE-2020-11054):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-07 23:02:51 UTC 
@maintainer(s), please bump.

Description:
"After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security."
Comment 2 Guillaume Seren 2020-05-08 22:31:13 UTC 
Hello,
I am in process of bumping to 1.11.1 which fix the CVE according to the security page.
I think I need to drop or mask the older version right ?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-08 22:34:26 UTC 
(In reply to Guillaume Seren from comment #2)
> Hello,
> I am in process of bumping to 1.11.1 which fix the CVE according to the
> security page.
> I think I need to drop or mask the older version right ?

Yep, a bump to 1.11.1 is needed.

After that (include the Bug: tag in your commit so we see it, but not Closes:), we'll ask you to cleanup (drop older versions), but given this is not a stable package, you are welcome to immediately cleanup in the same PR.

Don't bother with a mask unless there is some specific reason that a package depends on it.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-12 13:57:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=588ffb8d4796db8219d338489fcae4a66c72b8c1

commit 588ffb8d4796db8219d338489fcae4a66c72b8c1
Author:     Guillaume Seren <guillaumeseren@gmail.com>
AuthorDate: 2020-05-08 22:47:39 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-12 13:57:07 +0000

    www-client/qutebrowser: Drop old versions
    
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Closes: https://bugs.gentoo.org/721544
    Bug: https://bugs.gentoo.org/721564
    Signed-off-by: Guillaume Seren <guillaumeseren@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/15690
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/qutebrowser/Manifest                  |  2 -
 www-client/qutebrowser/qutebrowser-1.10.1.ebuild | 78 ------------------------
 www-client/qutebrowser/qutebrowser-1.8.3.ebuild  | 77 -----------------------
 3 files changed, 157 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a74c87075416ecbb5c0c19f3b31e07ec05a60ca2

commit a74c87075416ecbb5c0c19f3b31e07ec05a60ca2
Author:     Guillaume Seren <guillaumeseren@gmail.com>
AuthorDate: 2020-05-07 20:18:31 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-12 13:57:06 +0000

    www-client/qutebrowser: Bump 9999 dependencies
    
    Closes: https://bugs.gentoo.org/721544
    Closes: https://bugs.gentoo.org/718120
    Bug: https://bugs.gentoo.org/721564
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Guillaume Seren <guillaumeseren@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/qutebrowser/qutebrowser-9999.ebuild | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14002f67cfb94e73bfd80993331e55ef2b6c14b3

commit 14002f67cfb94e73bfd80993331e55ef2b6c14b3
Author:     Guillaume Seren <guillaumeseren@gmail.com>
AuthorDate: 2020-05-07 20:13:40 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-12 13:57:06 +0000

    www-client/qutebrowser: Add version bump 1.11.1
    
    Closes: https://bugs.gentoo.org/721544
    Closes: https://bugs.gentoo.org/718120
    Bug: https://bugs.gentoo.org/721564
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Guillaume Seren <guillaumeseren@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/qutebrowser/Manifest                  |  1 +
 www-client/qutebrowser/qutebrowser-1.11.1.ebuild | 75 ++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-12 13:58:53 UTC 
All done. Thank you!