Bug #11051
Audit applications using WebKit ports in Tails
100%
Description
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
This blog post points out that the versions of WebKit bundled in popular Linux GUI libraries (QtWebKit and WebKitGTK) are often seriously behind in terms of receiving security fixes from upstream. It is good that Tails uses IceWeasel as the default browser, because it would be the most serious concern and fortunately it is not affected. However, there are a number of other applications that do use WebKitGTK, some of which may be included in Tails. Here’s an incomplete list from the blog post:
GIMP, Liferea (edited list to remove software that Tails doesn’t ship)
It would be good to audit Tails’ use of these programs (and any other programs that might use out-of-date WebKit) and evaluate whether this could lead to security vulnerabilities for Tails users.
Subtasks
Bug #16313: Investigate why evolution-data-server is inside Tails 4.0 installed | Resolved | hefee | 0 |
Related issues
Related to Tails - Bug #14508: Get critical parts of Tails audited | Confirmed | 2017-08-30 | |
Blocked by Tails - |
Resolved | 2018-08-09 |
History
#1 Updated by intrigeri 2016-02-04 20:04:53
- Status changed from New to In Progress
- Type of work changed from Research to Security Audit
> It is good that Tails uses IceWeasel as the default browser
Nitpicking that doesn’t change anything to your reasoning: we ship Tor Browser, not Iceweasel :)
> Anjuta, Banshee, Bijiben (GNOME Notes), Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME Builder, GNOME Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, gThumb, Liferea, Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help)
From this list, in 2.0 we ship only GIMP and Liferea. One could try removing all webkitgtk packages from Tails 2.0 and see if anything else depends on it.
- GIMP: no idea what it uses webkitgtk+ for; does it use it on untrusted data?
- Liferea: I think we should simply stop shipping it; last time we looked at it seriously, we gave up on making its internal web browser safe enough for our needs and the only resulting action item was
Bug #9429; apart of that, we were simply waiting for Icedove to drop Liferea (Feature #7626).
#2 Updated by intrigeri 2016-02-19 00:42:45
- Priority changed from Normal to Low
There’s little chance that someone on the team does it any time soon. Help would be warmly welcome! :)
#3 Updated by cypherpunks 2016-02-21 12:36:44
intrigeri wrote:
> * GIMP: no idea what it uses webkitgtk+ for; does it use it on untrusted data?
> * Liferea: I think we should simply stop shipping it; last time we looked at it seriously, we gave up on making its internal web browser safe enough for our needs and the only resulting action item was Bug #9429; apart of that, we were simply waiting for Icedove to drop Liferea (Feature #7626).
I think worrying about vulnerabilities in GIMP’s WebKit engine is the absolute least thing we should be worrying about with regards to security issues in GIMP. There are so many complex and obscure formats it supports, many of which do have extant security issues. Also, I believe it uses WebKitGTK+ in order to convert documents of various kinds to image formats, and for its internal help system. If necessary though I could check the source sometime this week and tell you what it uses it for with more certainty.
I plan to write an AppArmor policy for GIMP in the near or near-ish future for Tails so that issue should be moot anyway, depending on threat model (which I assume merely involves confining a hijacked GIMP process from the rest of the system).
#4 Updated by cypherpunks 2016-02-21 12:52:27
Also, I think that Tails 2.0 ships more than just GIMP and Liferea. It also ships Yelp. I’m not sure why anyone would care about auditing it though, because it’s not used on untrusted data. It only reads configuration files in $HOME and stuff like that, and if someone can already write to arbitrary files in $HOME, they own that user. The only issue I could think of is if the files read by Yelp are also writable by the AppArmor policy of a sensitive program like Totem or the browser.
#5 Updated by BitingBird 2016-06-26 11:34:59
- Description updated
- Status changed from In Progress to Confirmed
#6 Updated by Anonymous 2018-08-17 16:51:46
- related to Bug #14508: Get critical parts of Tails audited added
#7 Updated by Anonymous 2018-08-18 11:03:52
- related to
Bug #15776: Remove Liferea added
#8 Updated by Anonymous 2018-08-18 11:04:18
liferea will be removed in 3.12 and deprecated in 3.9.
#9 Updated by intrigeri 2018-11-18 07:41:24
- Status changed from Confirmed to In Progress
- Assignee set to segfault
- Target version set to Tails_3.12
- % Done changed from 0 to 50
- QA Check set to Ready for QA
It should be noted that the Debian security support explicitly excludes webkitgtk and qtwebkit: “only for use on trusted content”. So yeah, it’s important to check what this ticket is aobut.
We don’t ship qtwebkit in current Tails. I’ve checked the reverse dependencies of webkitgtk that we ship (packages that apt remove libwebkit2gtk-4.0-37 gir1.2-webkit2-4.0
wants to remove) and the only one that I imagine using WebKit on untrusted data is Liferea. So once that one is gone (Bug #15776) I think we can call this ticket done.
#10 Updated by intrigeri 2018-11-18 07:41:31
- related to deleted (
)Bug #15776: Remove Liferea
#11 Updated by intrigeri 2018-11-18 07:41:36
- blocked by
Bug #15776: Remove Liferea added
#12 Updated by intrigeri 2019-01-04 15:20:56
- Assignee deleted (
segfault)
#13 Updated by hefee 2019-01-06 15:57:00
- Assignee set to hefee
#14 Updated by hefee 2019-01-06 16:33:53
Okay we have following packages have to seem to ship a WebKit instance. Search in packages.d.o WebKit in filename:
For buster:
- gambas3-runtime (not used in Tails)
- gambas3-gb-qt5-webkit (not used in Tails)
- libkf5webkit5 (not used in Tails)
- libqtwebkit4 (not used in Tails)
- libvtk6.3-qt (not used in Tails)
- libwebkit2gtk-4.0-37-gtk2
- libwebkit2gtk-4.0-doc (not used in Tails)
- gir1.2-webkit2-4.0
- qtwebkit5-doc-html (not used in Tails)
root@amnesia:~# apt purge libwebkit2gtk-4.0-37 gir1.2-webkit2-4.0
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
accountsservice apg cheese-common evolution-data-server-common gir1.2-accountsservice-1.0 gir1.2-gck-1
gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-geoclue-2.0 gir1.2-gmenu-3.0 gir1.2-gnomebluetooth-1.0
gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3 gir1.2-nm-1.0 gir1.2-nma-1.0
gir1.2-polkit-1.0 gir1.2-rsvg-2.0 gir1.2-soup-2.4 gir1.2-upowerglib-1.0 gnome-backgrounds
gnome-control-center-data gnome-session-bin gnome-session-common gnome-shell-common libaccountsservice0
libcamel-1.2-62 libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1 libebackend-1.2-10
libebook-1.2-19 libebook-contacts-1.2-2 libecal-1.2-19 libedata-book-1.2-25 libedata-cal-1.2-29
libedataserver-1.2-23 libgdm1 libgnome-bluetooth13 libgnome-menu-3-0 libical3 libjavascriptcoregtk-4.0-18
libmutter-3-0 libphonenumber7 libpipewire-0.2-1 libprotobuf17 libwoff1 libxcb-res0 mutter-common
python3-distro ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
evolution-data-server* gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
gnome-shell-extension-desktop-icons* gnome-shell-extension-top-icons-plus* gnome-shell-extensions*
gnome-user-docs* libedataserverui-1.2-2* libgoa-backend-1.0-1* libwebkit2gtk-4.0-37* libyelp0* mutter*
tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 18 to remove and 0 not upgraded.
After this operation, 129 MB disk space will be freed.
==> evolution-data-server - really? other stuff looks like to be GNOME internal stuff depending on WebKit, that would be fine for feature/buster Tails 4.0
for Tails 3.11:
- gambas3-gb-qt5-webkit (not used in Tails)
- libkf5webkit5 (not used in Tails)
- libqtwebkit4 (not used in Tails)
- libvtk6.3-qt (not used in Tails)
- libwebkitgtk-1.0-0
- libwebkitgtk-3.0-0
- libwebkit2gtk-4.0-37
- libqtscript4-webkit (not used in Tails)
- libwebkit2gtk-4.0-doc (not used in Tails)
- gir1.2-webkit2-4.0
- qtwebkit5-doc-html (not used in Tails)
root@amnesia:~# apt purge gir1.2-webkit2-4.0 libwebkit2gtk-4.0-37
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
accountsservice apg cheese-common evolution-data-server evolution-data-server-common
gir1.2-accountsservice-1.0 gir1.2-gck-1 gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-gmenu-3.0
gir1.2-gnomebluetooth-1.0 gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3.0
gir1.2-networkmanager-1.0 gir1.2-nmgtk-1.0 gir1.2-polkit-1.0 gir1.2-soup-2.4 gir1.2-telepathyglib-0.12
gir1.2-telepathylogger-0.2 gir1.2-upowerglib-1.0 gnome-backgrounds gnome-control-center-data
gnome-session-bin gnome-session-common gnome-shell-common libaccountsservice0 libcamel-1.2-59
libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1 libebackend-1.2-10 libebook-1.2-16
libebook-contacts-1.2-2 libecal-1.2-19 libedata-book-1.2-25 libedata-cal-1.2-28 libedataserver-1.2-22
libgdm1 libglib2.0-bin libgnome-bluetooth13 libgnome-menu-3-0 libical2 libjavascriptcoregtk-4.0-18
libmutter0i libnm-glib4 libnm-gtk0 libnm-util2 libnma0 libphonenumber7 libtelepathy-glib0
libtelepathy-logger3 libxcb-res0 liferea-data mutter-common ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
gnome-shell-extension-top-icons-plus* gnome-shell-extensions* gnome-user-guide* libgoa-backend-1.0-1*
libwebkit2gtk-4.0-37* libyelp0* liferea* mutter* network-manager-gnome* tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 17 to remove and 0 not upgraded.
After this operation, 127 MB disk space will be freed.
==> only liferea is not GNOME interal stuff, so NOT fine for Tails 3.11
#15 Updated by hefee 2019-01-06 16:54:39
And finally against Tails 3.12 (tails-amd64-devel-3.12-20190104T1005Z-53094b0ede.iso):
root@amnesia:~# apt purge gir1.2-webkit2-4.0 libwebkit2gtk-4.0-37
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
accountsservice apg cheese-common evolution-data-server
evolution-data-server-common gir1.2-accountsservice-1.0 gir1.2-gck-1
gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-gmenu-3.0 gir1.2-gnomebluetooth-1.0
gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3.0
gir1.2-networkmanager-1.0 gir1.2-nmgtk-1.0 gir1.2-polkit-1.0 gir1.2-soup-2.4
gir1.2-telepathyglib-0.12 gir1.2-telepathylogger-0.2 gir1.2-upowerglib-1.0
gnome-backgrounds gnome-control-center-data gnome-session-bin
gnome-session-common gnome-shell-common libaccountsservice0 libcamel-1.2-59
libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1
libebackend-1.2-10 libebook-1.2-16 libebook-contacts-1.2-2 libecal-1.2-19
libedata-book-1.2-25 libedata-cal-1.2-28 libedataserver-1.2-22 libgdm1
libglib2.0-bin libgnome-bluetooth13 libgnome-menu-3-0 libical2
libjavascriptcoregtk-4.0-18 libmutter0i libnm-glib4 libnm-gtk0 libnm-util2
libnma0 libphonenumber7 libtelepathy-glib0 libtelepathy-logger3 libxcb-res0
mutter-common ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
gnome-shell-extension-top-icons-plus* gnome-shell-extensions*
gnome-user-guide* libgoa-backend-1.0-1* libwebkit2gtk-4.0-37* libyelp0*
mutter* network-manager-gnome* tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 16 to remove and 0 not upgraded.
After this operation, 126 MB disk space will be freed.
#16 Updated by hefee 2019-01-06 16:56:54
- Assignee changed from hefee to intrigeri
- QA Check changed from Ready for QA to Pass
liferea will not be available in Tails 3.12 and nothing else it popped up for Tails 3.12.
#17 Updated by intrigeri 2019-01-07 09:00:50
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri)
Thanks for double-checking! Case closed, then.
#18 Updated by anonym 2019-01-30 11:53:04
- Status changed from Fix committed to Resolved