From me at the-compiler.org Tue Jul 3 16:05:53 2018 From: me at the-compiler.org (Florian Bruhin) Date: Tue, 3 Jul 2018 16:05:53 +0200 Subject: [qutebrowser-announce] qutebrowser v1.4.0 released! Message-ID: <20180703140553.m37inzt3fa2kddwr@hooch.localdomain> Hey, I'm happy to announce I just released qutebrowser v1.4.0. This release comes with a lot of new features, and (hopefully) full compatibility with Qt 5.11.1 and PyQt 5.11.2. Notably, the web inspector now works without --enable-webengine-inspector (and without needing to listen on a local port) on Qt 5.11, third-party cookies are blocked by default on Qt 5.11 (and the `content.cookies.accept` setting works on QtWebEngine), and various other privacy-related settings were added. Note that 32-bit support for Windows was dropped, as a consequence of QtWebEngine doing the same (as Chromium only supports 32-bit with MSVC 2017, but Qt's official binaries are not built with that). I could release a build based on Qt 5.10, but that means an outdated Qt/Chromium, so I'd rather not, as I suspect many people downloading the 32-bit builds actually have a 64-bit OS. Let me know if you need a 32-bit build though, so I can have an idea of how needed it actually is. Full changelog: Added ~~~~~ - Support for the bundled `sip` module in PyQt 5.11 and other changes in Qt/PyQt 5.11.x. - New `--debug-flag log-requests` to log requests to the debug log for debugging. - New `--first` flag for `:hint` (bound to `gi` for inputs) which automatically selects the first hint. - New `input.escape_quits_reporter` setting which can be used to avoid accidentally quitting the crash reporter when pressing escape. - New `qute-lastpass` userscript which uses the LastPass CLI to fill passwords. - The Makefile now installs a `/usr/share/metainfo/qutebrowser.appdata.xml` file. - QtWebEngine: Support for printing from webpages via `window.print`. - QtWebEngine: Support for muting tabs: * New `{audio}` field for `window.title_format` and `tabs.title.format` which displays `[M]`/`[A]` for muted/recently audible tabs. * New `:tab-mute` command (bound to ``) to mute/unmute a tab. - QtWebEngine: Support for `content.cookies.accept` with third-party cookies blocked by default (requires Qt 5.11). - QtWebEngine: New settings: * Support for requesting persistent storage via `navigator.webkitPersistentStorage.requestQuota` with a new `content.persistent_storage` setting (requires Qt 5.11). This setting also supports URL patterns. * Support for registering custom protocol handlers via `navigator.registerProtocolHandler` with a new `content.register_protocol_handler` setting (requires Qt 5.11). This setting also supports URL patterns. * Support for WebRTC screen sharing with a new `content.desktop_capture` setting (requires Qt 5.10). This setting also supports URL patterns. * New `content.autoplay` setting to enable/disable automatic video playback (requires Qt 5.10). * New `content.webrtc_public_interfaces_only` setting to only expose public interfaces over WebRTC (requires Qt 5.9.2 or 5.11). * New `content.canvas_reading` setting to disable reading from canvas elements. Changed ~~~~~~~ - The following settings now support URL patterns: * `content.headers.do_not_track` * `content.headers.custom` * `content.headers.accept_language` * `content.headers.user_agent` * `content.ssl_strict` * `content.geolocation` * `content.notifications` * `content.media_capture` - The Windows/macOS releases now bundle Qt 5.11.1 which is based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. - New short flags for commandline arguments: `-B` and `-T` for `--basedir` and `--temp-basedir`; `-d` and `-D` for `--debug` and `--debug-flag`. - Deleting history items via `:history-clear` or `:completion-item-del` now also removes that URL from QtWebEngine's visited links. - There's now completion for commands taking a variable count of arguments (like `:config-cycle`). - QtWebEngine: On Qt 5.11.1, no reloads are needed anymore when switching between pages with changed settings (e.g. `content.javascript.enabled`). - The `qt.force_software_rendering` setting changed from a boolean to taking different values (`software-opengl`, `qt-quick` and `chromium`) for different kinds of software rendering workarounds. - On Qt 5.11, using wayland with QtWebEngine is now possible when using software rendering. - GreaseMonkey scripts now get their own global scope (based on the page's one), which allows scripts like OneeChan to work. - Rapid hinting is now supported with the `yank` and `yank-primary` targets, copying newline-separated links. - QtWebEngine: On Qt 5.11, the developer tools (inspector) can now be used securely and without requiring the `--enable-webengine-inspector` option. - The `` key (`:follow-selected`) now follows the currently focused element if there's no selection. - The `--logfilter` argument now can be prepended with an exclamation mark (e.g. `--logfilter '!init,destroy'`) to invert the filter. - `:view-source` now has a `--pygments` flag which uses the "old" way of rendering sources even with QtWebEngine. - Improved error messages when a setting needs a newer Qt version. - QtWebEngine: Various improvements to make the cursor more visible in caret browsing. - When a prompt is opened in insert/passthrough mode, the mode is restored after closing the prompt. - On Qt 5.10 or newer, dictionaries are now read from the qutebrowser data directory (e.g. `~/.local/share/qutebrowser`) instead of `/usr/share/qt`. Existing dictionaries are copied over. - If an error while parsing `~/.netrc` occurs, the cause of the error is now logged. - On Qt 5.9 or newer, certificate errors now show Chromium's detailed error page. - Greasemonkey scripts now support a "@qute-js-world" tag to run them in a different JavaScript context. Fixed ~~~~~ - Various subtle keyboard focus issues. - The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page. - Crash when opening a PDF page with PDF.js enabled (on QtWebKit), but no PDF.js installed. - Crash when closing a tab shortly after opening it. Removed ~~~~~~~ - No prebuilt binaries for 32-bit Windows are supplied anymore. This is due to Qt removing QtWebEngine support for those upstream. It might be possible to distribute 32-bit binaries again with Qt 5.12 in December, but that will only happen if it turns out enough people actually need 32-bit support. - `:tab-detach` which has been deprecated in v1.1.0 has been removed. - The `content.developer_extras` setting got removed. On QtWebKit, developer extras are now automatically enabled when opening the inspector. Enjoy! Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Wed Jul 11 17:28:58 2018 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 11 Jul 2018 17:28:58 +0200 Subject: [qutebrowser-announce] CVE-2018-10895: Remote code execution due to CSRF in qutebrowser Message-ID: <20180711152858.pe3bzkkvwngxxcnn@hooch.localdomain> Description ----------- Due to a CSRF vulnerability affecting the `qute://settings` page, it was possible for websites to modify qutebrowser settings. Via settings like `editor.command`, this possibly allowed websites to execute arbitrary code. This issue has been assigned CVE-2018-10895: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10895 Affected versions ----------------- The issue was introduced in v1.0.0, as part of commit ffc29ee. https://github.com/qutebrowser/qutebrowser/commit/ffc29ee It was fixed in the v1.4.1 release, in commit 43e58ac. https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 All releases between v1.0.0 and v1.4.0 (inclusive) are affected. Backported patches are available, but no additional releases are planned: v1.1.x: https://github.com/qutebrowser/qutebrowser/commit/ff686ff7f395d83e5ac48507ecfae0b0e97a61ef v1.2.x: https://github.com/qutebrowser/qutebrowser/commit/c3361c31b370140f323e481dd455450b1e74c099 v1.3.x: https://github.com/qutebrowser/qutebrowser/commit/c2ff32d92ba9bf40ff53498ee04a4124d4993c85 v1.4.x: https://github.com/qutebrowser/qutebrowser/commit/22148ce488da52e8a0e01ed937c0cfdb24d34775 master: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (add .patch to the URL to get patches) Timeline -------- 2018-07-09: I was made aware of the original issue privately (initially believed by the reporter to only be a DoS issue), developed a fix and contacted the distros Openwall mailinglist to organize a disclosure date to give distributions time to coordinate releasing of a fix. 2018-07-10: Slightly updated patch sent to the distros mailinglist. 2018-07-11: Public disclosure. Mitigation ---------- Please upgrade to v1.4.1 or apply the patches above. Note that disabling loading of `autoconfig.yml` is not a suitable remedy, since settings are still applied until the next restart. As a workaround, it's possible to patch out the vulnerable code via a `config.py` file: from qutebrowser.browser import qutescheme qutescheme._qute_settings_set = lambda url: ('text/html', '') While there is no known exploit for this in the wild, users are advised to check their `autoconfig.yml` file (located in the config folder shown in `:version`) for any unwanted modifications. Credits ------- Thanks to: - toofar for reporting the initial issue. - Allan Sandfeld Jensen (carewolf) and J?ri Valdmann (juvaldma) of The Qt Company for their assistance with triaging and fixing the issue. - toofar and Jay Kamat (jgkamat) for reviewing the patch. - Morten Linderud (Foxboron) for suggestions on how to disclose this properly. Links ----- - https://github.com/qutebrowser/qutebrowser/issues/4060 -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Wed Jul 11 17:35:58 2018 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 11 Jul 2018 17:35:58 +0200 Subject: [qutebrowser-announce] qutebrowser v1.4.1 released (security update, CVE-2018-10895) Message-ID: <20180711153558.zowsudnewq4wwgjo@hooch.localdomain> Hey, I've just released qutebrowser v1.4.1 which fixes a CSRF vulnerability on the qute://settings page. The vulnerability allowed websites to change qutebrowser settings, potentially leading to arbitrary code execution via settings such as `editor.command`. See the separate security announcement for details: https://lists.schokokeks.org/pipermail/qutebrowser-announce/2018-July/000048.html Other bugfixes in this release: - Rare crash when an error occurs in downloads. - Newlines are now stripped from the :version pastebin URL. - There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an older Qt, which is needed on Ubuntu 16.04. - Worked around a Qt issue which redirects to a `chrome-error://` page when trying to use U2F. - The `link_pyqt.py` script now works correctly with PyQt 5.11. - The Windows installer now uninstalls the old version before installing the new one, fixing issues with qutebrowser not starting after installing v1.4.0 over v1.3.3. Sorry for the trouble! Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: