Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 1 Sep 2022 18:11:58 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com, John Helmert III <ajak@...too.org>
Subject: Re: WebKitGTK and WPE WebKit Security Advisory
 WSA-2022-0008

On Thu, Sep 01, 2022 at 10:31:16PM +0200, Carlos Alberto Lopez Perez wrote:
> On 29/08/2022 20:03, Demi Marie Obenour wrote:
> >> We (maintainers of Linux WebKit ports) don't have access to the security
> >> issues affecting Apple products until those issues are made public by them.
> > That is unfortunate.  I thought you would have access to embargoed
> > bugzilla tickets.
> > 
> 
> We do have access to the tickets on WebKit bugzilla that are marked as
> security-related and are hidden from other users by default.

Okay, that makes sense.  As an aside, why are these tickets kept hidden
indefinitely even after patches have been available for a long time?

> However, we don't receive the information about which WebKit fixes will
> be included in any Apple security update until those advisories are public.
> 
> 
> >> So, we didn't knew until August 17th of this issue. Also you can see
> >> that the bug report itself or the patch doesn't has any indication that
> >> it fixes a security-related problem.
> >>
> >> Therefore, the time it took us to notice the issue, backport the fix and
> >> do a new release was just 7-8 days (from 17th to 24-25th of August).
> >> Which, honestely, it is quite good taking into account that: 1)
> >> back-porting the fix was not straightforward since it required
> >> back-porting also a few previous patches in order to be able to merge it
> >> properly and that 2) we are in August and people is usually on holidays.
> > Was backporting needed, as opposed to shipping a new minor version?
> > 
> 
> It was. Fixes land in the master (main) branch. Those fixes don't
> necessarely apply or work on the branch of the last webkitgtk-stable branch.

I see.  Have you considered using the same branch of WebKit that Apple
does, or backporting security patches as soon as they land in main
without waiting for an upstream release?  Presumably you know which
commits are security fixes.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.