Ubuntu policy for WebKit security updates?

Adam Dingle adam at medovina.org
Tue Sep 13 21:27:27 UTC 2016 


On Tue, Sep 13, 2016 at 2:17 PM, Marc Deslauriers 
<marc.deslauriers at canonical.com> wrote:
> Hi,
> 
> On 2016-09-13 05:14 PM, Adam Dingle wrote:
>>  This article from Michael Catanzaro is sobering:
>> 
>>    
>> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
>> 
>>  It essentially makes two points:
>> 
>>  1. WebKit 1 contains many security vulnerabilities that will 
>> probably never be
>>  fixed, and yet some apps (e.g. Geary, GnuCash) still depend on it.
>> 
>>  2. For WebKit 2, the WebKit team fixes vulnerabilities only in its 
>> latest stable
>>  and unstable versions, yet many distributions including Ubuntu 
>> don't generally
>>  upgrade users to these versions, and don't backport security fixes 
>> to previous
>>  versions (which would be hard).
>> 
>>  Considering this second point, Xenial (16.04 LTS) contains 
>> libwebkit2gtk-4.0
>>  version 2.10.9-1ubuntu1, which was apparently last updated in March 
>> 2016.  It is
>>  presumably vulnerable to all the security bugs in WebKitGTK's more 
>> recent
>>  security advisories, which include numerous arbitrary code execution
>>  vulnerabilities:
>> 
>>    https://webkitgtk.org/security/WSA-2016-0004.html
>>    https://webkitgtk.org/security/WSA-2016-0005.html
>> 
>>  As Michael points out, this is concerning because many apps 
>> (including Epiphany,
>>  which I often use for browsing) use WebKit.  He writes:
>> 
>>    Some of the more notable users include Anjuta, Banshee, Bijiben 
>> (GNOME Notes),
>>  Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME 
>> Builder, GNOME
>>  Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, 
>> gThumb, Liferea,
>>  Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help).
>> 
>>  It appears that Ubuntu has three policy choices:
>> 
>>  1) Upgrade users of existing Ubuntu releases such as Xenial to 
>> newer stable
>>  WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities are 
>> fixed).  The
>>  cost of this is potential breakage if a new version of WebKit 2 
>> isn't completely
>>  compatible with the old.  As Michael points out, WebKit 2 "ensures 
>> that each
>>  release maintains both API and ABI compatibility", but of course 
>> bugs are
>>  possible and he admits that "there is some risk" that an update 
>> could break
>>  something.
>> 
>>  2) Backport all security fixes to older WebKit versions such as 
>> 2.10.  This is
>>  almost certainly impractical.
>> 
>>  3) Keep users at existing WebKit 2 versions with known 
>> vulnerabilities (e.g.
>>  2.10.9 in Xenial).
>> 
>>  Has Ubuntu consciously chosen policy (3) over (1)?  If so, this 
>> feels unwise to
>>  me.  I think the breakage in (1) would probably be minimal since 
>> I've often
>>  built a newer WebKit 2 on an existing Ubuntu release and it has 
>> always worked
>>  fine in existing apps as far as I can tell.
>> 
> 
> I will be publishing 2.12.5 as a security update for xenial tomorrow 
> or
> thursday. I was going to publish 2.12.4, but there was a regression 
> in it.
> 
> Marc.

Aha.  This is great news!

adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-desktop/attachments/20160913/40b61e50/attachment.html>

More information about the ubuntu-desktop mailing list