CVE-2021-41146

Advisory

Qutebrowser 2.4.0 fixes an arbitrary command execution vulnerability on Windows OS via URL handler.
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Security

- **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler
argument injection. See the [security advisory](https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm) for details.

Added

- New `content.blocking.hosts.block_subdomains` setting which can be used to disable the subdomain blocking for the hosts-based adblocker introduced in v2.3.0.
- New `downloads.prevent_mixed_content` setting to prevent insecure mixed-content downloads (true by default).
- New `--private` flag for `:tab-clone`, which clones a tab into a new private window, mirroring the same flags for `:open` and `:tab-give`.

Fixed

- Switching tabs via mouse wheel scrolling now works properly on macOS. Set `tabs.mousewheel_switching` to false if you prefer the previous behavior.
- Speculative fix for a crash when closing qutebrowser while a systray notification is shown.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
• https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
• https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430