Browser choice in live images
Michael Catanzaro
mcatanzaro at gnome.org
Thu Nov 5 18:23:10 UTC 2015
On Thu, 2015-11-05 at 09:37 -0700, Kevin Fenzi wrote:
> So, in no particular order:
>
> * I don't really think it's 'irresponsible' to ship midori in it's
> current state. It's not ideal, but if you know of specific critical
> issues not fixed, please let me know.
There are two ways to look up WebKit security bugs:
* You can just go through the WebKit commit history and look for bugs
that you don't have permission to see. This way you can see what
releases the bug was fixed in, and you can see the changes and the
commit log description, but you cannot see the bug report nor what the
CVEs were. This is what we've been doing recently when we provide a
count of the number of security bugs fixed in a release.
In this way, I can tell you that we've backported the following
security fixes to the 2.10 branch in the past three weeks. I'm not
going further back than three weeks, since it would take too long:
https://trac.webkit.org/changeset/190820
https://trac.webkit.org/changeset/190570
https://trac.webkit.org/changeset/190339
There's never enough data in the commit message to make it easy to
exploit the crash, for obvious reasons, but it's enough to be good
starting points for bad guys. Anyway, if you assume one security issue
a week, you can say you've missed roughly 40-50 security updates so far
this year. Most of these let attackers control your computer.
* You can look at Safari security advisories and read the CVEs listed
under WebKit headings. Apple never releases any details on these bugs
except when Google discovers the bug; it's almost always "Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution." You don't know what
WebKitGTK+ release a CVE was fixed in, nor whether the bug is a Mac-
specific issue or a cross-platform issue, nor can you see the commit
the CVE was fixed in. (We were able to say what CVEs were fixed in a
WebKitGTK+ release for the first time with 2.4.8... and that was also
the last time, since Apple stopped providing us with that info.)
Just the most recent advisories indicate:
September: 34 bugs with impact "Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution" https://support.apple.com/en-us/HT205377
October: 9 bugs with impact "Visiting a maliciously crafted website may
lead to arbitrary code execution" https://support.apple.com/kb/HT205377
You can imagine that there are hundreds of such issues fixed since
January. I'm concerned that the number of CVEs reported here is much
greater than the number of security bugs found by going through the
changelog, and can't explain the difference.
> * Midori upstream is working on moving to webkit2 (for quite a while
> now). They have the base browser pretty much done, but they still
> are
> working on porting some of the plugins. They keep hoping to switch
> defaults soon, but they are a small project and have as much time
> as
> they have. Any assistance with porting I'm sure would be welcome.
Unfortunately there are too many apps that need assistance with
porting. :( We have to focus on the GNOME stuff first, which is still
not done. Midori's switch to WK2 has been taking very long, and it will
be great if they manage to finish soon.
Note that all of my complaints about Midori being insecure apply
equally to Evolution and Geary (unless you turn off display of HTML
mail) and anything else stuck on 2.4.
Michael
More information about the devel
mailing list