Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Mon, Aug 29, 2022 at 01:26:49PM +0200, Carlos Alberto Lopez Perez wrote:
> On 26/08/2022 07:01, John Helmert III wrote:
> > On Thu, Aug 25, 2022 at 11:34:04PM +0200, Carlos Alberto Lopez Perez wrote:
> > > ------------------------------------------------------------------------
> > > WebKitGTK and WPE WebKit Security Advisory                 WSA-2022-0008
> > > ------------------------------------------------------------------------
> > >
> > > Date reported           : August 25, 2022
> > > Advisory ID             : WSA-2022-0008
> > > WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2022-0008.html
> > > WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2022-0008.html
> > > CVE identifiers         : CVE-2022-32893.
> > >
> > > Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
> > >
> > > CVE-2022-32893
> > >     Versions affected: WebKitGTK and WPE WebKit before 2.36.7.
> > >     Credit to an anonymous researcher.
> > >     Impact: Processing maliciously crafted web content may lead to
> > >     arbitrary code execution. Apple is aware of a report that this issue
> > >     may have been actively exploited.
> >
> > According to Apple's security advisories for this (e.g. [1]), this
> > issue is tracked on the Webkit Bugzilla as 243557 [2] which was opened
> > on 2022-08-04. A few minutes after that bug was opened, a pull request
> > on GitHub was linked [3] with a patch which also seems to add unit
> > tests. So, it appears to me that this issue was public since at least
> > August 4th, and even more widely publicized with Apple's security
> > advisories on August 17.
> >
> > WebKit-2.36.6 was released shortly after the first bug report, on
> > 2022-08-07, and WebKit-2.36.7 was released yesterday, on 2022-08-25.
> >
> > With this bug seemingly being publicly known to be an actively
> > exploited code execution issue, why did it take several weeks and 2
> > WebKit releases to get this issue fixed and a WSA released?
> >
> > [1] https://support.apple.com/en-us/HT213412
> > [2] https://bugs.webkit.org/show_bug.cgi?id=243557
> > [3] https://github.com/WebKit/WebKit/pull/3023
>
>
> We (maintainers of Linux WebKit ports) don't have access to the security
> issues affecting Apple products until those issues are made public by them.

That is unfortunate.  I thought you would have access to embargoed
bugzilla tickets.

> So, we didn't knew until August 17th of this issue. Also you can see
> that the bug report itself or the patch doesn't has any indication that
> it fixes a security-related problem.
>
> Therefore, the time it took us to notice the issue, backport the fix and
> do a new release was just 7-8 days (from 17th to 24-25th of August).
> Which, honestely, it is quite good taking into account that: 1)
> back-porting the fix was not straightforward since it required
> back-porting also a few previous patches in order to be able to merge it
> properly and that 2) we are in August and people is usually on holidays.

Was backporting needed, as opposed to shipping a new minor version?

> On the other hand, I don't know if this issue was or is exploited on
> Linux WebKit users. All I known is that Apple said they are aware of a
> report that this issue was actively exploited (on Apple/WebKit users).
> So I assume this can also affect Linux WebKit users. But I don't have a
> confirmation that this is actually the case, neither I'm aware of any
> PoC demonstrating the issue.

Should every release include a comment like, “This release likely
contains security updates even if no security advisory has been issued.
Please treat it as such.”?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: