oss-sec mailing list archives
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Thu, 1 Sep 2022 18:11:58 -0400
On Thu, Sep 01, 2022 at 10:31:16PM +0200, Carlos Alberto Lopez Perez wrote:
On 29/08/2022 20:03, Demi Marie Obenour wrote:We (maintainers of Linux WebKit ports) don't have access to the security issues affecting Apple products until those issues are made public by them.That is unfortunate. I thought you would have access to embargoed bugzilla tickets.We do have access to the tickets on WebKit bugzilla that are marked as security-related and are hidden from other users by default.
Okay, that makes sense. As an aside, why are these tickets kept hidden indefinitely even after patches have been available for a long time?
However, we don't receive the information about which WebKit fixes will be included in any Apple security update until those advisories are public.So, we didn't knew until August 17th of this issue. Also you can see that the bug report itself or the patch doesn't has any indication that it fixes a security-related problem. Therefore, the time it took us to notice the issue, backport the fix and do a new release was just 7-8 days (from 17th to 24-25th of August). Which, honestely, it is quite good taking into account that: 1) back-porting the fix was not straightforward since it required back-porting also a few previous patches in order to be able to merge it properly and that 2) we are in August and people is usually on holidays.Was backporting needed, as opposed to shipping a new minor version?It was. Fixes land in the master (main) branch. Those fixes don't necessarely apply or work on the branch of the last webkitgtk-stable branch.
I see. Have you considered using the same branch of WebKit that Apple does, or backporting security patches as soon as they land in main without waiting for an upstream release? Presumably you know which commits are security fixes. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 25)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Aug 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Demi Marie Obenour (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Sep 01)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Demi Marie Obenour (Sep 01)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Sep 02)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 Carlos Alberto Lopez Perez (Aug 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Aug 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 John Helmert III (Sep 13)