CVE-2018-10895

Advisory

Qutebrowser 1.4.1 fixes the CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See https://github.com/qutebrowser/qutebrowser/issues/4060 and CVE-2018-10895.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Changed

- Windows/macOS releases now ship with Qt 5.12.2, which includes
security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786
which is known to be exploited in the wild).

Fixed

- Crash when using `:config-{dict,list}-{add,remove}` with an invalid setting.
- Functionality like hinting on pages with an element with ID `_qutebrowser` (such as qutebrowser.org) on Qt 5.12.
- The .desktop file in v1.6.0 was missing the "Actions" key, which is now fixed.
- The SVG icon now has a size of 256x256px set to comply with freedesktop standards.
- Setting `colors.statusbar.*.bg` to a gradient now has the expected effect of
the gradient spanning the entire statusbar.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10895
• https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10895
• http://www.openwall.com/lists/oss-security/2018/07/11/7