On Tue, Sep 13, 2016 at 2:17 PM, Marc Deslauriers
<[email protected]> wrote:
Hi,
On 2016-09-13 05:14 PM, Adam Dingle wrote:
This article from Michael Catanzaro is sobering:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
It essentially makes two points:
1. WebKit 1 contains many security vulnerabilities that will
probably never be
fixed, and yet some apps (e.g. Geary, GnuCash) still depend on it.
2. For WebKit 2, the WebKit team fixes vulnerabilities only in its
latest stable
and unstable versions, yet many distributions including Ubuntu
don't generally
upgrade users to these versions, and don't backport security fixes
to previous
versions (which would be hard).
Considering this second point, Xenial (16.04 LTS) contains
libwebkit2gtk-4.0
version 2.10.9-1ubuntu1, which was apparently last updated in March
2016. It is
presumably vulnerable to all the security bugs in WebKitGTK's more
recent
security advisories, which include numerous arbitrary code execution
vulnerabilities:
https://webkitgtk.org/security/WSA-2016-0004.html
https://webkitgtk.org/security/WSA-2016-0005.html
As Michael points out, this is concerning because many apps
(including Epiphany,
which I often use for browsing) use WebKit. He writes:
Some of the more notable users include Anjuta, Banshee, Bijiben
(GNOME Notes),
Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME
Builder, GNOME
Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash,
gThumb, Liferea,
Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help).
It appears that Ubuntu has three policy choices:
1) Upgrade users of existing Ubuntu releases such as Xenial to
newer stable
WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities are
fixed). The
cost of this is potential breakage if a new version of WebKit 2
isn't completely
compatible with the old. As Michael points out, WebKit 2 "ensures
that each
release maintains both API and ABI compatibility", but of course
bugs are
possible and he admits that "there is some risk" that an update
could break
something.
2) Backport all security fixes to older WebKit versions such as
2.10. This is
almost certainly impractical.
3) Keep users at existing WebKit 2 versions with known
vulnerabilities (e.g.
2.10.9 in Xenial).
Has Ubuntu consciously chosen policy (3) over (1)? If so, this
feels unwise to
me. I think the breakage in (1) would probably be minimal since
I've often
built a newer WebKit 2 on an existing Ubuntu release and it has
always worked
fine in existing apps as far as I can tell.
I will be publishing 2.12.5 as a security update for xenial tomorrow
or
thursday. I was going to publish 2.12.4, but there was a regression
in it.
Marc.
Aha. This is great news!
adam
--
ubuntu-desktop mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop