Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Ywz/hDw3dwvhYlua@itl-email>
Date: Mon, 29 Aug 2022 14:03:44 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com, John Helmert III <ajak@...too.org>
Subject: Re: WebKitGTK and WPE WebKit Security Advisory
 WSA-2022-0008

On Mon, Aug 29, 2022 at 01:26:49PM +0200, Carlos Alberto Lopez Perez wrote:
> 
> On 26/08/2022 07:01, John Helmert III wrote:
> > On Thu, Aug 25, 2022 at 11:34:04PM +0200, Carlos Alberto Lopez Perez wrote:
> >> ------------------------------------------------------------------------
> >> WebKitGTK and WPE WebKit Security Advisory                 WSA-2022-0008
> >> ------------------------------------------------------------------------
> >>
> >> Date reported           : August 25, 2022
> >> Advisory ID             : WSA-2022-0008
> >> WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2022-0008.html
> >> WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2022-0008.html
> >> CVE identifiers         : CVE-2022-32893.
> >>
> >> Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
> >>
> >> CVE-2022-32893
> >>     Versions affected: WebKitGTK and WPE WebKit before 2.36.7.
> >>     Credit to an anonymous researcher.
> >>     Impact: Processing maliciously crafted web content may lead to
> >>     arbitrary code execution. Apple is aware of a report that this issue
> >>     may have been actively exploited.
> > 
> > According to Apple's security advisories for this (e.g. [1]), this
> > issue is tracked on the Webkit Bugzilla as 243557 [2] which was opened
> > on 2022-08-04. A few minutes after that bug was opened, a pull request
> > on GitHub was linked [3] with a patch which also seems to add unit
> > tests. So, it appears to me that this issue was public since at least
> > August 4th, and even more widely publicized with Apple's security
> > advisories on August 17.
> > 
> > WebKit-2.36.6 was released shortly after the first bug report, on
> > 2022-08-07, and WebKit-2.36.7 was released yesterday, on 2022-08-25.
> > 
> > With this bug seemingly being publicly known to be an actively
> > exploited code execution issue, why did it take several weeks and 2
> > WebKit releases to get this issue fixed and a WSA released?
> > 
> > [1] https://support.apple.com/en-us/HT213412
> > [2] https://bugs.webkit.org/show_bug.cgi?id=243557
> > [3] https://github.com/WebKit/WebKit/pull/3023
> > 
> 
> 
> We (maintainers of Linux WebKit ports) don't have access to the security
> issues affecting Apple products until those issues are made public by them.

That is unfortunate.  I thought you would have access to embargoed
bugzilla tickets.

> So, we didn't knew until August 17th of this issue. Also you can see
> that the bug report itself or the patch doesn't has any indication that
> it fixes a security-related problem.
> 
> Therefore, the time it took us to notice the issue, backport the fix and
> do a new release was just 7-8 days (from 17th to 24-25th of August).
> Which, honestely, it is quite good taking into account that: 1)
> back-porting the fix was not straightforward since it required
> back-porting also a few previous patches in order to be able to merge it
> properly and that 2) we are in August and people is usually on holidays.

Was backporting needed, as opposed to shipping a new minor version?

> On the other hand, I don't know if this issue was or is exploited on
> Linux WebKit users. All I known is that Apple said they are aware of a
> report that this issue was actively exploited (on Apple/WebKit users).
> So I assume this can also affect Linux WebKit users. But I don't have a
> confirmation that this is actually the case, neither I'm aware of any
> PoC demonstrating the issue.

Should every release include a comment like, “This release likely
contains security updates even if no security advisory has been issued.
Please treat it as such.”?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.