This article from Michael Catanzaro is sobering:

https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

It essentially makes two points:

1. WebKit 1 contains many security vulnerabilities that will probably never be fixed, and yet some apps (e.g. Geary, GnuCash) still depend on it.

2. For WebKit 2, the WebKit team fixes vulnerabilities only in its latest stable and unstable versions, yet many distributions including Ubuntu don't generally upgrade users to these versions, and don't backport security fixes to previous versions (which would be hard).

Considering this second point, Xenial (16.04 LTS) contains libwebkit2gtk-4.0 version 2.10.9-1ubuntu1, which was apparently last updated in March 2016. It is presumably vulnerable to all the security bugs in WebKitGTK's more recent security advisories, which include numerous arbitrary code execution vulnerabilities:

 https://webkitgtk.org/security/WSA-2016-0004.html
 https://webkitgtk.org/security/WSA-2016-0005.html

As Michael points out, this is concerning because many apps (including Epiphany, which I often use for browsing) use WebKit. He writes:

Some of the more notable users include Anjuta, Banshee, Bijiben (GNOME Notes), Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME Builder, GNOME Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, gThumb, Liferea, Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help).

It appears that Ubuntu has three policy choices:

1) Upgrade users of existing Ubuntu releases such as Xenial to newer stable WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities are fixed). The cost of this is potential breakage if a new version of WebKit 2 isn't completely compatible with the old. As Michael points out, WebKit 2 "ensures that each release maintains both API and ABI compatibility", but of course bugs are possible and he admits that "there is some risk" that an update could break something.

2) Backport all security fixes to older WebKit versions such as 2.10. This is almost certainly impractical.

3) Keep users at existing WebKit 2 versions with known vulnerabilities (e.g. 2.10.9 in Xenial).

Has Ubuntu consciously chosen policy (3) over (1)? If so, this feels unwise to me. I think the breakage in (1) would probably be minimal since I've often built a newer WebKit 2 on an existing Ubuntu release and it has always worked fine in existing apps as far as I can tell.

adam
-- 
ubuntu-desktop mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop

Reply via email to