Changes between Version 1 and Version 2 of GTKSecurity2015

Nov 12, 2015 2:00:21 PM (7 years ago)



  • GTKSecurity2015

    v1 v2  
    11WebKitGTK+ security issues presentation at WebKit Contributors Meeting, Fall 2015
     3Last summer ended WK1 support in GTK+ port[[BR]]
     4WK1 apps have three options:[[BR]]
     5    port WK1 apps to WK2 (best option, about 1/2 done)[[BR]]
     6    bring WK1 back and maintain it again (requires too much man power)[[BR]]
     7    merge security fixes back to old branch (becomes harder and harder over time)[[BR]]
     8Email clients hard to port because of dom operations[[BR]]
     10CVEs from Apple don’t include information about how to exploit the vulnerability[[BR]]
     11Igalia made a security advisory, has one member of the security team (Carlos Garcia)[[BR]]
     13Apple does not release information about security fixes to security team members, no way to make another one[[BR]]
     14Who from Apple sent this information in the past?  Don’t know.  Igalia will contact Alex Christensen with this information[[BR]]
     15WebKitGTK+ releases every 6 months, fixes security bugs, but also adds 6 months of new security bugs[[BR]]
     16To convince Fedora to upgrade to WebKitGTK+2.8, they need a list of CVEs[[BR]]
     17Debian won’t accept updates either without documentation of CVEs[[BR]] will show warning that headers were sent before a secure connection is established[[BR]]
     19   cookies are leaked to unverified attackers - not just libsoup problem - CVE-2015-2330[[BR]]
     20Bug in gcc 4.8 caused crash in legacy indexeddb code, but distributions still use gcc4.8[[BR]]
     21 example of Safari security advisory[[BR]]
     22Igalia wants a link between those CVE numbers and the bugzilla bug or merged code revision[[BR]]
     23    equivalent would be if we commented in the bugzilla with the CVE number[[BR]]
     24Web Engines Hackfest in December in Spain[[BR]]
     26GTK+ has no sandboxes right now, any security exploit has complete access to the computer (but not as root)[[BR]]
     27seccomp filter based sandbox would need to be specific to each linux distribution because WebKitGTK+ has lots of dependencies which have different system calls[[BR]]
     28network namespace, filesystem namespace should be used instead[[BR]]
     29Remove non-network process compile configurations[[BR]]
     31Chrome, Firefox disabling RC4 fallback January or February 2016, WebKitGTK+ disabled it last year[[BR]] fails[[BR]]
     33Safari has no security indicator when http is used, Chrome and Firefox are moving to a broken lock icon for all http instead of nothing[[BR]]