webkitgtk flawed

ChuangTzu · 02-19-2016, 04:01 PM

Quote:

The WebKit rendering engine used in many Linux applications is a complete security mess. That’s the takeaway from a blog post by Michael Catanzaro, who works on GNOME’s WebKitGTK+ project. He’s sounding the alarm about a problem the open-source community needs to fix.

http://www.pcworld.com/article/30340...ulnerable.html

schmatzler · 02-19-2016, 10:04 PM

Banshee directly mentioned - whoops!

Well, I'd like to update webkitgtk to the latest version very often.

Last I checked, it always required a ridiculous amount of very recent system libraries, though. I'm not up for rebuilding Slackware from the ground up to get an up-to-date webkitgtk.

Edit: I've changed the 2.4.9 SlackBuild for webkitgtk 2.10.7 like this and it at least starts to build this time:

Code:

  cmake \
    -DCMAKE_C_FLAGS:STRING="$SLKCFLAGS" \
    -DCMAKE_CXX_FLAGS:STRING="$SLKCFLAGS" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DLIB_INSTALL_DIR=/usr/lib$LIBDIRSUFFIX  \
    -DPORT=GTK \
    -DENABLE_GEOLOCATION=OFF \
    -DUSE_LIBHYPHEN=OFF \
    -DUSE_SYSTEM_MALLOC=ON \
    -DENABLE_ACCELERATED_2D_CANVAS=ON \
    -DCMAKE_BUILD_TYPE=Release ..

Let's see if it fails or not.

willysr · 02-19-2016, 11:03 PM

webkitgtk 2.10 utilize a different API compared to previous 2.4.9 and both can be co-installable on one system
in SBo we have 3 different webkit: webkitgtk (use GTK2), webkitgtk3 (use GTK3), and webkit2gtk (use API2)
see here: https://slackbuilds.org/cgit/slackbu...p&q=webkit2gtk

schmatzler · 02-19-2016, 11:21 PM

Thanks, willysr.

But I guess this means that Banshee is stuck on 2.4.x and since development has stalled over the last year, it might be time to switch to a different media management program...

ReaperX7 · 02-20-2016, 04:23 AM

Not to mention, webkitgtk requires a VERY lengthy build time very similar to xulrunner based browsers and about as much resources.

brobr · 02-20-2016, 05:57 AM

The original blog is worth a read. Lifting some snippets out that might be useful for this forum:

Quote:

Remember that ..WebKitGTK+ 2.4.9 was released upstream over eight months ago... It’s worth mentioning that 2.4.9 contains the fix for that serious networking backend issue .. mentioned earlier (CVE-2015-2330).

@schmatzler:

Quote:

Banshee is stuck on 2.4.x

SlackBuilds is on 2.4.9, thus in that respect, if you have followed SBo updates on your box, one hole should be plugged.....

Back to the blog: Major problems are with KDE-applications that rely on QtWebkit:

Quote:

There’s not much hope left for QtWebKit; these applications have hundreds of known vulnerabilities that will never be fixed. Applications should port to QtWebEngine, but for many applications this may not be easy or even possible... There is some effort to update QtWebKit.[If it] make its way into upstream Qt, this problem could be solved.

Upgrading of applications to the API2 version is also discussed...

Quote:

While upgrading to the WebKit2 API will be easy for most applications .., for many others it will be a significant challenge.... like GIMP and Geany that are stuck on GTK+ 2. They first have to upgrade to GTK+ 3 before they can consider upgrading to modern WebKitGTK+. GIMP is working on a GTK+ 3 port anyway (GIMP uses WebKitGTK+ for its help browser), but many applications like Geany (the IDE ..) are content to remain on GTK+ 2 forever.

But the problem remains:

Quote:

WebKitGTK+ 2.4 has not had any updates since last May, and the last real comprehensive security update was over one year ago. Since then, almost 130 vulnerabilities have been fixed in newer versions of WebKitGTK+.

and might not go away:

Quote:

How do we fix this? Well, for applications using modern WebKitGTK+, .. distributions .. have to start taking our security updates.

For applications stuck on WebKitGTK+ 2.4:

[Do not reckon on] security backports to WebKitGTK+ 2.4.

Major distributions could remove the old WebKitGTK+ compatibility packages. That will force applications to upgrade, but many will not have the manpower to do so: good applications will be lost. This is probably the only realistic way to fix the security problem, but it’s a very unfortunate one. (But don’t forget about QtWebKit. QtWebKit is based on an even older version of WebKit than WebKitGTK+ 2.4. It doesn’t make much sense to allow one insecure version of WebKit but not another.)

Or, a far more likely possibility: we could do nothing, and keep using insecure software.

ChuangTzu · 02-20-2016, 09:20 PM

brobr, thank you for posting the original blog link...fascinating read.

cowlitzron · 02-25-2016, 02:00 AM

I was able to build WebKitGTK 2.10.7 on a Ubuntu 14.04 Trusty base. JULinux 10 which has been elevated to my primary distro and uses this base includes Midori as one of three browsers. Midori on Ubuntu uses the older 2.4.x WebKitGTK base. I did compile Midori against the new WebKit but had a bad memory leak issue which caused the memory to become full and, I also had a problem with it crashing when I backspaced in the address bar. And, with any Epiphany version older than 3.14.x not building against WebKitGTK 2.10.x, and the newest Epiphany version on the Trusty base being 3.12 it's too risky to try and build Epiphany 3.14 on the Trusty base outside of a fake root. Slackware users would only run Epiphany if they have Dropline GNOME which does have a 3.14 version for Slackware 14.1. The only other browsers I know of that run WebKit2GTK are minimalist browsers which do not have bookmarks. The following is a screenshot on which I have the Lariza Browser which runs WebKit2 on the left and Midori with WebKit1 on the right both with html5test.com.

Click image for larger version

Name: WebKit2-Midori-screenshot2.png
Views: 34
Size: 70.5 KB
ID: 20952

I usually browse with Pale Moon which has many security updates having recently switched from SeaMonkey as my main browser. I have FossaMail as my email client which is a fork of Thunderbird put out by the same group as Pale Moon.