Ubuntu policy for WebKit security updates?

Marc Deslauriers marc.deslauriers at canonical.com
Tue Sep 13 21:17:44 UTC 2016 

Hi,

On 2016-09-13 05:14 PM, Adam Dingle wrote:
> This article from Michael Catanzaro is sobering:
> 
>   https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
> 
> It essentially makes two points:
> 
> 1. WebKit 1 contains many security vulnerabilities that will probably never be
> fixed, and yet some apps (e.g. Geary, GnuCash) still depend on it.
> 
> 2. For WebKit 2, the WebKit team fixes vulnerabilities only in its latest stable
> and unstable versions, yet many distributions including Ubuntu don't generally
> upgrade users to these versions, and don't backport security fixes to previous
> versions (which would be hard).
> 
> Considering this second point, Xenial (16.04 LTS) contains libwebkit2gtk-4.0
> version 2.10.9-1ubuntu1, which was apparently last updated in March 2016.  It is
> presumably vulnerable to all the security bugs in WebKitGTK's more recent
> security advisories, which include numerous arbitrary code execution
> vulnerabilities:
> 
>   https://webkitgtk.org/security/WSA-2016-0004.html
>   https://webkitgtk.org/security/WSA-2016-0005.html
> 
> As Michael points out, this is concerning because many apps (including Epiphany,
> which I often use for browsing) use WebKit.  He writes:
> 
>   Some of the more notable users include Anjuta, Banshee, Bijiben (GNOME Notes),
> Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME Builder, GNOME
> Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, gThumb, Liferea,
> Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help).
> 
> It appears that Ubuntu has three policy choices:
> 
> 1) Upgrade users of existing Ubuntu releases such as Xenial to newer stable
> WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities are fixed).  The
> cost of this is potential breakage if a new version of WebKit 2 isn't completely
> compatible with the old.  As Michael points out, WebKit 2 "ensures that each
> release maintains both API and ABI compatibility", but of course bugs are
> possible and he admits that "there is some risk" that an update could break
> something.
> 
> 2) Backport all security fixes to older WebKit versions such as 2.10.  This is
> almost certainly impractical.
> 
> 3) Keep users at existing WebKit 2 versions with known vulnerabilities (e.g.
> 2.10.9 in Xenial).
> 
> Has Ubuntu consciously chosen policy (3) over (1)?  If so, this feels unwise to
> me.  I think the breakage in (1) would probably be minimal since I've often
> built a newer WebKit 2 on an existing Ubuntu release and it has always worked
> fine in existing apps as far as I can tell.  
> 

I will be publishing 2.12.5 as a security update for xenial tomorrow or
thursday. I was going to publish 2.12.4, but there was a regression in it.

Marc.

More information about the ubuntu-desktop mailing list