From me at the-compiler.org Fri Nov 1 20:36:50 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 1 Nov 2019 20:36:50 +0100 Subject: [qutebrowser] Chromium Zero-days (CVE-2019-13720 and -13721) Message-ID: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> Hi, There's currently news going around of two Chromium Zero-Days, one of them being actively exploited in the wild: https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html qutebrowser likely is unaffected by the PDFium one (as it disables the PDF viewer, even with Qt 5.13). It's likely affected by the WebAudio one though, and I don't see a way to turn WebAudio off (other than disabling JS). Fixes for both will land in Qt 5.12.6 and 5.14.0 (there likely isn't going to be a 5.13.3). I've also reported this to Arch and a fix landed in qt5-webengine 5.13.1-3 (and 5.13.2-2 in [testing]). Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 1 20:42:59 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 1 Nov 2019 20:42:59 +0100 Subject: [qutebrowser] Chromium Zero-days (CVE-2019-13720 and -13721) In-Reply-To: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> References: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> Message-ID: <20191101194259.iezdpiywieipu4ox@hooch.localdomain> On Fri, Nov 01, 2019 at 08:36:56PM +0100, Florian Bruhin wrote: > I've also reported this to Arch and a fix landed in qt5-webengine 5.13.1-3 > (and 5.13.2-2 in [testing]). Sorry, the fix is not in 5.13.1-3 - only in 5.13.2-2 which I suppose will make it out of [testing] soon. If you happen to be using my qt5-debug packages, I'm building a 5.13.1-3.1 with the fix. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Mon Nov 18 22:09:15 2019 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 18 Nov 2019 22:09:15 +0100 Subject: [qutebrowser] qutebrowser meetup Berlin Message-ID: <20191118210915.44duiiglxukrpt4v@hooch.localdomain> Hey! I'm currently in Berlin (mainly to meet Qt/QtWebEngine people at Qt {World, Contributors} Summit). I'd love to also meet some qutebrowser users here! :) I opened a date poll for a meetup: https://dudle.inf.tu-dresden.de/qb-berlin/ Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From limberfawn1066 at gmail.com Mon Nov 18 21:48:01 2019 From: limberfawn1066 at gmail.com (ayy ayy) Date: Mon, 18 Nov 2019 20:48:01 +0000 Subject: [qutebrowser] flash Message-ID: - Wanting to play flash games - Open a flash game, knowing I have flash - 'Couldn't load plug-in.' - Read your FAQ, then installed spesifically PPAPI flash. - Reload site and 'Couldn't load plug-in' - Double check content.plugins = true - Same error I dont know what to do now. I love this browser but if flash dosent work then I'm afraid I wont use it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at the-compiler.org Mon Nov 18 22:21:18 2019 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 18 Nov 2019 22:21:18 +0100 Subject: [qutebrowser] flash In-Reply-To: References: Message-ID: <20191118212118.46eh4tizhgu3c7lr@hooch.localdomain> Hey ayy ayy, Note that you aren't subscribed to the mailinglist, so your mail was held back. I added you to the whitelist now, but you'll only get replies if people explicitly Cc you unless you subscribe. On Mon, Nov 18, 2019 at 08:48:01PM +0000, ayy ayy wrote: > - Wanting to play flash games > > - Open a flash game, knowing I have flash > > - 'Couldn't load plug-in.' > > - Read your FAQ, then installed spesifically PPAPI flash. > > - Reload site and 'Couldn't load plug-in' > > - Double check content.plugins = true > > - Same error > > > I dont know what to do now. I love this browser but if flash dosent work > then I'm afraid I wont use it. With that little information (and e.g. no version numbers), I can only guess. My best guess would be that you're on Qt 5.13 and seeing this issue: https://bugreports.qt.io/browse/QTBUG-78280 Looks like there's a fix in the works for Qt 5.14 - until then, it looks like you can add 'enable-pepper-testing' to the qt.args setting as a workaround. I'm not sure about the security implications of that, though (but flash is a security nightmare either way). You might want to only enable content.plugins to true for a specific URL pattern rather than globally. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 22 19:04:26 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 22 Nov 2019 19:04:26 +0100 Subject: [qutebrowser] qutebrowser v1.8.2 released! Message-ID: <20191122180426.vc473er7y57odebj@hooch.localdomain> Hey, I'm happy to announce that I just released qutebrowser v1.8.2. The main aim behind the release is bundling Qt 5.12.6 for macOS/Windows, which comes with important Chromium security fixes. However, I also cherry-picked some bugfixes from master: Changed ~~~~~~~ - Windows/macOS releases now ship with Qt 5.12.6. This includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78. Fixed ~~~~~ - Unbinding keys via `config.bind(key, None)` accidentally worked in v1.7.0 but raises an exception in v1.8.0. It now works again, but is deprecated and shows an error. Note that `:config-py-write` did write such invalid lines before v1.8.0, so existing config files might need adjustments. - The `readability-js` userscript now handles encodings correctly (which it didn't before for some websites). - can now be used to paste text starting with a hyphen. - Following hints via the number keypad now works properly again. - Errors while reading the state file are now displayed instead of causing a crash. - Crash when using `:debug-log-level` without a console attached. - Downloads are now hidden properly when the browser is in fullscreen mode. - Crash when setting `colors.webpage.bg` to an empty value with QtWebKit. - Crash when the history database file is not a proper sqlite database. - Workaround for missing/broken error pages on Debian. - A deprecation warning (caused by pywin32) about the imp module on Windows is now hidden. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 22 20:51:58 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 22 Nov 2019 20:51:58 +0100 Subject: [qutebrowser] qutebrowser meetup Berlin (2019-11-28) Message-ID: <20191122195158.jv6ssejajy6w4x32@hooch.localdomain> Hey! Like you might already know, I'm currently in Berlin - I've met with Qt/QtWebEngine developers at Qt Contributors Summit and had some very interesting development discussions there. You can find some writeups here: https://wiki.qt.io/Category:QtCS2019 Next Thursday (28th) I'd like to have a small qutebrowser user meetup here :) We'll meet at 19:00 in the AfRA Hackerspace in Berlin Lichtenberg: https://afra-berlin.de/dokuwiki/doku.php?id=en:start See (some of) you there, hopefully! Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: