oss-sec mailing list archives
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Mon, 29 Aug 2022 14:03:44 -0400
On Mon, Aug 29, 2022 at 01:26:49PM +0200, Carlos Alberto Lopez Perez wrote:
On 26/08/2022 07:01, John Helmert III wrote:On Thu, Aug 25, 2022 at 11:34:04PM +0200, Carlos Alberto Lopez Perez wrote:------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 ------------------------------------------------------------------------ Date reported : August 25, 2022 Advisory ID : WSA-2022-0008 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2022-0008.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2022-0008.html CVE identifiers : CVE-2022-32893. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-32893 Versions affected: WebKitGTK and WPE WebKit before 2.36.7. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.According to Apple's security advisories for this (e.g. [1]), this issue is tracked on the Webkit Bugzilla as 243557 [2] which was opened on 2022-08-04. A few minutes after that bug was opened, a pull request on GitHub was linked [3] with a patch which also seems to add unit tests. So, it appears to me that this issue was public since at least August 4th, and even more widely publicized with Apple's security advisories on August 17. WebKit-2.36.6 was released shortly after the first bug report, on 2022-08-07, and WebKit-2.36.7 was released yesterday, on 2022-08-25. With this bug seemingly being publicly known to be an actively exploited code execution issue, why did it take several weeks and 2 WebKit releases to get this issue fixed and a WSA released? [1] https://support.apple.com/en-us/HT213412 [2] https://bugs.webkit.org/show_bug.cgi?id=243557 [3] https://github.com/WebKit/WebKit/pull/3023We (maintainers of Linux WebKit ports) don't have access to the security issues affecting Apple products until those issues are made public by them.
That is unfortunate. I thought you would have access to embargoed bugzilla tickets.
So, we didn't knew until August 17th of this issue. Also you can see that the bug report itself or the patch doesn't has any indication that it fixes a security-related problem. Therefore, the time it took us to notice the issue, backport the fix and do a new release was just 7-8 days (from 17th to 24-25th of August). Which, honestely, it is quite good taking into account that: 1) back-porting the fix was not straightforward since it required back-porting also a few previous patches in order to be able to merge it properly and that 2) we are in August and people is usually on holidays.
Was backporting needed, as opposed to shipping a new minor version?
On the other hand, I don't know if this issue was or is exploited on Linux WebKit users. All I known is that Apple said they are aware of a report that this issue was actively exploited (on Apple/WebKit users). So I assume this can also affect Linux WebKit users. But I don't have a confirmation that this is actually the case, neither I'm aware of any PoC demonstrating the issue.
Should every release include a comment like, “This release likely contains security updates even if no security advisory has been issued. Please treat it as such.”? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 25)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Aug 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Demi Marie Obenour (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Sep 01)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Demi Marie Obenour (Sep 01)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Sep 02)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Aug 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Sep 13)