Announcement

Collapse
No announcement yet.

WebKitGTK+ Hit Hard By Over 100 Security Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WebKitGTK+ Hit Hard By Over 100 Security Vulnerabilities

    Phoronix: WebKitGTK+ Hit Hard By Over 100 Security Vulnerabilities

    WebKitGTK+ WSA-2015-0002 was made public today as a security advisory with more than 100 vulnerabilities being mentioned...

    http://www.phoronix.com/scan.php?pag...ulnerabilities

  • #2
    I don't see any CVE which isn't due to WebKit. I was assuming there'd be some unique bugs.

    Comment


    • #3
      Hi,

      Latest stable version of webkitgtk4 isn't hit at all.

      Quoting the message in the mailing list:

      * Zero CVEs affecting the webkitgtk4 package in F23
      * 40 CVEs affecting the webkitgtk4 package in F22
      * 129 CVEs affecting the webkitgtk and webkitgtk3 packages in F22/F23


      It's a good thing to know that this is precisely the version used in epiphany,
      the web browser based on webkitgtk (and also midori but i don't know if it's
      available in fedora).

      This looks like FUD to me !

      Comment


      • #4
        Some of the default apps shipped with Fedora Workstation has dependencies on webkitgtk or webkitgtk3, such as rhythmbox, shotwell, yelp, evolution.
        However, none of them are Web-target apps, except evolution.

        Not too bad, but still no good.

        Comment


        • #5
          While webgtk4 has no cve listed, it seems....strange, to tie themselves to an engine that isn't at the forefront of web tech.
          I've asked them before why they don't write to the CEF. Then, they'll have a state-of-the-art browser engine at their disposal, and, very soon, be able to have a choice as to which engine to use (servo has been working towards implementing the necessary hooks). From what I recall, they really, really like apple and want to work there....
          OK, that's not true. They said, IIRC, that the webkit maintainers are very accommodating to them, so why should they make such a substantial change? Frankly, I could believe he said this as they are now completely relying on the largesse of a company who isn't trying to push forward the web, or in other words, isn't heavily relying on the web like google and mozilla. Webkit has fallen behind blink. Servo will offer a radically different architecture from any other browser (assuming ganesha goes nowhere), along with excellent security. Soon, if they aren't already, they'll be running the new ie 6.

          Comment


          • #6
            Originally posted by phoronix View Post
            Phoronix: WebKitGTK+ Hit Hard By Over 100 Security Vulnerabilities

            WebKitGTK+ WSA-2015-0002 was made public today as a security advisory with more than 100 vulnerabilities being mentioned...

            http://www.phoronix.com/scan.php?pag...ulnerabilities

            Michael, I don't think this is entirely accurate. As far as I'm aware the vulnerabilities are in WebKit itself, and only affect WebKitGTK+ because they use it.

            Comment


            • #7
              Originally posted by liam View Post
              While webgtk4 has no cve listed, it seems....strange, to tie themselves to an engine that isn't at the forefront of web tech.
              I've asked them before why they don't write to the CEF. Then, they'll have a state-of-the-art browser engine at their disposal, and, very soon, be able to have a choice as to which engine to use (servo has been working towards implementing the necessary hooks). From what I recall, they really, really like apple and want to work there....
              OK, that's not true. They said, IIRC, that the webkit maintainers are very accommodating to them, so why should they make such a substantial change? Frankly, I could believe he said this as they are now completely relying on the largesse of a company who isn't trying to push forward the web, or in other words, isn't heavily relying on the web like google and mozilla. Webkit has fallen behind blink. Servo will offer a radically different architecture from any other browser (assuming ganesha goes nowhere), along with excellent security. Soon, if they aren't already, they'll be running the new ie 6.
              Mozilla makes embedding actively difficult. This has been discussed various times with Mozilla. There's almost no effort going into that. Suggesting Servo, something again from Mozilla seems highly unrealistic. Couple with your talk about "they just want to work at Apple" makes me think you're just talking nonsense.

              Comment


              • #8
                Originally posted by liam View Post
                While webgtk4 has no cve listed, it seems....strange, to tie themselves to an engine that isn't at the forefront of web tech.
                I've asked them before why they don't write to the CEF. Then, they'll have a state-of-the-art browser engine at their disposal, and, very soon, be able to have a choice as to which engine to use (servo has been working towards implementing the necessary hooks). From what I recall, they really, really like apple and want to work there....
                OK, that's not true. They said, IIRC, that the webkit maintainers are very accommodating to them, so why should they make such a substantial change? Frankly, I could believe he said this as they are now completely relying on the largesse of a company who isn't trying to push forward the web, or in other words, isn't heavily relying on the web like google and mozilla. Webkit has fallen behind blink. Servo will offer a radically different architecture from any other browser (assuming ganesha goes nowhere), along with excellent security. Soon, if they aren't already, they'll be running the new ie 6.
                WebKit has fallen behind, yet consistently provides a more robust and stable solution. Blink is broken and has been for over a year. It permanentally stuck on experimental. If you've followed WebKit2 you'd realize WebKitGTK+ is quite a bit behind Safari WebKit2. But with each release of it and Epiphany I run out of reasons to bother with Firefox/Iceweasel and I don't waste my time with Chrome/Chromium.

                https://webkit.org/status/

                What I can expect from this status list is a stable solution that continues to chew up the Web Specs as they mature.

                Comment


                • #9
                  Originally posted by bkor View Post

                  Mozilla makes embedding actively difficult. This has been discussed various times with Mozilla. There's almost no effort going into that. Suggesting Servo, something again from Mozilla seems highly unrealistic. Couple with your talk about "they just want to work at Apple" makes me think you're just talking nonsense.
                  Yea it's so unrealistic that it totally doesn't exist at all.

                  Comment


                  • #10
                    Originally posted by rstat1 View Post

                    Yea it's so unrealistic that it totally doesn't exist at all.
                    Uhm, you seem to advertise servo. From devs who managed to create epic 0day using sandboxed JS. I think they are going to face a lot of colorful CVEs. If someone would use servo at all. Speaking for myself, I'm not going to be one of these, I'm fed up with all Mozilla BS about turning browser to locked down "ecosystem". So it already worse than Google, not anyhow better than Apple and also uses some homegrown language created for their engine. I wish Mozilla luck with this approach, but I think Firefox OS wasn't last of their FAILs. I've had to move away from Mozilla browser, since they are just plain annoying.

                    And while I can admit 100 CVEs are looking interesting, I think Mozilla is a really wrong place to seek for better options. At the end of day, Chrome/Chromium are using Linux containers for many years. Mozilla devs seems to be unaware it exists at all. Yeah, containers will easily thwart bugs like mozilla's 0day in pdf.js, but who cares, right? Even if calling clone() with right flags barely takes few lines of code...
                    Last edited by SystemCrasher; 12-30-2015, 06:04 AM.

                    Comment

                    Working...
                    X