Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660840 (CVE-2018-10895) - <www-client/qutebrowser-1.4.1: Remote Code Execution via CSRF (CVE-2018-10895)
Summary: <www-client/qutebrowser-1.4.1: Remote Code Execution via CSRF (CVE-2018-10895)
Alias: CVE-2018-10895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
: 660948 (view as bug list)
Depends on:
Reported: 2018-07-10 11:50 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-07-11 22:22 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-10 11:50:47 UTC
Incoming details.
Comment 1 Justin Bronder (RETIRED) gentoo-dev 2018-07-10 21:23:58 UTC
I was hoping we'd get details today so I could post any diffs here for others to commit tomorrow.  Best case, I'm going to be available until 14:00 UTC on 2018-07-11.

If this is severe, please go ahead and do anything that needs to be done in the tree.  Otherwise I'll do my best to take action when I'm available tomorrow.
Comment 2 Justin Bronder (RETIRED) gentoo-dev 2018-07-11 15:24:16 UTC
commit 64e278e605b056a47e304f0f56c3a22ecb98fa90
Author: Justin Bronder <>
Date:   Wed Jul 11 11:21:35 2018 -0400

    www-client/qutebrowser: bump 1.4.1
    CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to
    possible arbitrary code execution. See the related GitHub issue for details.
    Removing all prior versions due to the above.
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-11 15:54:11 UTC

Due to a CSRF vulnerability affecting the `qute://settings` page, it was
possible for websites to modify qutebrowser settings. Via settings like
`editor.command`, this possibly allowed websites to execute arbitrary code.

This issue has been assigned CVE-2018-10895:

Affected versions

The issue was introduced in v1.0.0, as part of commit ffc29ee.

It was fixed in the v1.4.1 release, in commit 43e58ac.

All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
Backported patches are available, but no additional releases are planned:


(add .patch to the URL to get patches)


2018-07-09: I was made aware of the original issue privately (initially
believed by the reporter to only be a DoS issue), developed a fix and contacted
the distros Openwall mailinglist to organize a disclosure date to give
distributions time to coordinate releasing of a fix.

2018-07-10: Slightly updated patch sent to the distros mailinglist.

2018-07-11: Public disclosure.


Please upgrade to v1.4.1 or apply the patches above.

Note that disabling loading of `autoconfig.yml` is not a suitable remedy, since
settings are still applied until the next restart.

As a workaround, it's possible to patch out the vulnerable code via a
`` file:

    from qutebrowser.browser import qutescheme
    qutescheme._qute_settings_set = lambda url: ('text/html', '')

While there is no known exploit for this in the wild, users are advised to
check their `autoconfig.yml` file (located in the config folder shown in
`:version`) for any unwanted modifications.


Thanks to:

- toofar for reporting the initial issue.
- Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt
  Company for their assistance with triaging and fixing the issue.
- toofar and Jay Kamat (jgkamat) for reviewing the patch.
- Morten Linderud (Foxboron) for suggestions on how to disclose this


Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-11 15:54:40 UTC
All done, repository is clean.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-11 22:22:02 UTC
*** Bug 660948 has been marked as a duplicate of this bug. ***