Bug #11051

Audit applications using WebKit ports in Tails

Added by garrettr 2016-02-03 18:43:34 . Updated 2019-01-30 11:53:04 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2019-01-06
Due date:
% Done:

100%

Feature Branch:
Type of work:
Security Audit
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

This blog post points out that the versions of WebKit bundled in popular Linux GUI libraries (QtWebKit and WebKitGTK) are often seriously behind in terms of receiving security fixes from upstream. It is good that Tails uses IceWeasel as the default browser, because it would be the most serious concern and fortunately it is not affected. However, there are a number of other applications that do use WebKitGTK, some of which may be included in Tails. Here’s an incomplete list from the blog post:

GIMP, Liferea (edited list to remove software that Tails doesn’t ship)

It would be good to audit Tails’ use of these programs (and any other programs that might use out-of-date WebKit) and evaluate whether this could lead to security vulnerabilities for Tails users.


Subtasks

Bug #16313: Investigate why evolution-data-server is inside Tails 4.0 installed Resolved hefee

0


Related issues

Related to Tails - Bug #14508: Get critical parts of Tails audited Confirmed 2017-08-30
Blocked by Tails - Bug #15776: Remove Liferea Resolved 2018-08-09

History

#1 Updated by intrigeri 2016-02-04 20:04:53

  • Status changed from New to In Progress
  • Type of work changed from Research to Security Audit

> It is good that Tails uses IceWeasel as the default browser

Nitpicking that doesn’t change anything to your reasoning: we ship Tor Browser, not Iceweasel :)

> Anjuta, Banshee, Bijiben (GNOME Notes), Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME Builder, GNOME Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, gThumb, Liferea, Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help)

From this list, in 2.0 we ship only GIMP and Liferea. One could try removing all webkitgtk packages from Tails 2.0 and see if anything else depends on it.

  • GIMP: no idea what it uses webkitgtk+ for; does it use it on untrusted data?
  • Liferea: I think we should simply stop shipping it; last time we looked at it seriously, we gave up on making its internal web browser safe enough for our needs and the only resulting action item was Bug #9429; apart of that, we were simply waiting for Icedove to drop Liferea (Feature #7626).

#2 Updated by intrigeri 2016-02-19 00:42:45

  • Priority changed from Normal to Low

There’s little chance that someone on the team does it any time soon. Help would be warmly welcome! :)

#3 Updated by cypherpunks 2016-02-21 12:36:44

intrigeri wrote:
> * GIMP: no idea what it uses webkitgtk+ for; does it use it on untrusted data?
> * Liferea: I think we should simply stop shipping it; last time we looked at it seriously, we gave up on making its internal web browser safe enough for our needs and the only resulting action item was Bug #9429; apart of that, we were simply waiting for Icedove to drop Liferea (Feature #7626).

I think worrying about vulnerabilities in GIMP’s WebKit engine is the absolute least thing we should be worrying about with regards to security issues in GIMP. There are so many complex and obscure formats it supports, many of which do have extant security issues. Also, I believe it uses WebKitGTK+ in order to convert documents of various kinds to image formats, and for its internal help system. If necessary though I could check the source sometime this week and tell you what it uses it for with more certainty.

I plan to write an AppArmor policy for GIMP in the near or near-ish future for Tails so that issue should be moot anyway, depending on threat model (which I assume merely involves confining a hijacked GIMP process from the rest of the system).

#4 Updated by cypherpunks 2016-02-21 12:52:27

Also, I think that Tails 2.0 ships more than just GIMP and Liferea. It also ships Yelp. I’m not sure why anyone would care about auditing it though, because it’s not used on untrusted data. It only reads configuration files in $HOME and stuff like that, and if someone can already write to arbitrary files in $HOME, they own that user. The only issue I could think of is if the files read by Yelp are also writable by the AppArmor policy of a sensitive program like Totem or the browser.

#5 Updated by BitingBird 2016-06-26 11:34:59

  • Description updated
  • Status changed from In Progress to Confirmed

#6 Updated by Anonymous 2018-08-17 16:51:46

  • related to Bug #14508: Get critical parts of Tails audited added

#7 Updated by Anonymous 2018-08-18 11:03:52

#8 Updated by Anonymous 2018-08-18 11:04:18

liferea will be removed in 3.12 and deprecated in 3.9.

#9 Updated by intrigeri 2018-11-18 07:41:24

  • Status changed from Confirmed to In Progress
  • Assignee set to segfault
  • Target version set to Tails_3.12
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA

It should be noted that the Debian security support explicitly excludes webkitgtk and qtwebkit: “only for use on trusted content”. So yeah, it’s important to check what this ticket is aobut.

We don’t ship qtwebkit in current Tails. I’ve checked the reverse dependencies of webkitgtk that we ship (packages that apt remove libwebkit2gtk-4.0-37 gir1.2-webkit2-4.0 wants to remove) and the only one that I imagine using WebKit on untrusted data is Liferea. So once that one is gone (Bug #15776) I think we can call this ticket done.

#10 Updated by intrigeri 2018-11-18 07:41:31

#11 Updated by intrigeri 2018-11-18 07:41:36

#12 Updated by intrigeri 2019-01-04 15:20:56

  • Assignee deleted (segfault)

#13 Updated by hefee 2019-01-06 15:57:00

  • Assignee set to hefee

#14 Updated by hefee 2019-01-06 16:33:53

Okay we have following packages have to seem to ship a WebKit instance. Search in packages.d.o WebKit in filename:

For buster:

  • gambas3-runtime (not used in Tails)
  • gambas3-gb-qt5-webkit (not used in Tails)
  • libkf5webkit5 (not used in Tails)
  • libqtwebkit4 (not used in Tails)
  • libvtk6.3-qt (not used in Tails)
  • libwebkit2gtk-4.0-37-gtk2
  • libwebkit2gtk-4.0-doc (not used in Tails)
  • gir1.2-webkit2-4.0
  • qtwebkit5-doc-html (not used in Tails)
root@amnesia:~# apt purge libwebkit2gtk-4.0-37 gir1.2-webkit2-4.0 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  accountsservice apg cheese-common evolution-data-server-common gir1.2-accountsservice-1.0 gir1.2-gck-1
  gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-geoclue-2.0 gir1.2-gmenu-3.0 gir1.2-gnomebluetooth-1.0
  gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3 gir1.2-nm-1.0 gir1.2-nma-1.0
  gir1.2-polkit-1.0 gir1.2-rsvg-2.0 gir1.2-soup-2.4 gir1.2-upowerglib-1.0 gnome-backgrounds
  gnome-control-center-data gnome-session-bin gnome-session-common gnome-shell-common libaccountsservice0
  libcamel-1.2-62 libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1 libebackend-1.2-10
  libebook-1.2-19 libebook-contacts-1.2-2 libecal-1.2-19 libedata-book-1.2-25 libedata-cal-1.2-29
  libedataserver-1.2-23 libgdm1 libgnome-bluetooth13 libgnome-menu-3-0 libical3 libjavascriptcoregtk-4.0-18
  libmutter-3-0 libphonenumber7 libpipewire-0.2-1 libprotobuf17 libwoff1 libxcb-res0 mutter-common
  python3-distro ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  evolution-data-server* gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
  gnome-shell-extension-desktop-icons* gnome-shell-extension-top-icons-plus* gnome-shell-extensions*
  gnome-user-docs* libedataserverui-1.2-2* libgoa-backend-1.0-1* libwebkit2gtk-4.0-37* libyelp0* mutter*
  tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 18 to remove and 0 not upgraded.
After this operation, 129 MB disk space will be freed.

==> evolution-data-server - really? other stuff looks like to be GNOME internal stuff depending on WebKit, that would be fine for feature/buster Tails 4.0

for Tails 3.11:

  • gambas3-gb-qt5-webkit (not used in Tails)
  • libkf5webkit5 (not used in Tails)
  • libqtwebkit4 (not used in Tails)
  • libvtk6.3-qt (not used in Tails)
  • libwebkitgtk-1.0-0
  • libwebkitgtk-3.0-0
  • libwebkit2gtk-4.0-37
  • libqtscript4-webkit (not used in Tails)
  • libwebkit2gtk-4.0-doc (not used in Tails)
  • gir1.2-webkit2-4.0
  • qtwebkit5-doc-html (not used in Tails)
root@amnesia:~# apt purge gir1.2-webkit2-4.0 libwebkit2gtk-4.0-37       
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  accountsservice apg cheese-common evolution-data-server evolution-data-server-common
  gir1.2-accountsservice-1.0 gir1.2-gck-1 gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-gmenu-3.0
  gir1.2-gnomebluetooth-1.0 gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3.0
  gir1.2-networkmanager-1.0 gir1.2-nmgtk-1.0 gir1.2-polkit-1.0 gir1.2-soup-2.4 gir1.2-telepathyglib-0.12
  gir1.2-telepathylogger-0.2 gir1.2-upowerglib-1.0 gnome-backgrounds gnome-control-center-data
  gnome-session-bin gnome-session-common gnome-shell-common libaccountsservice0 libcamel-1.2-59
  libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1 libebackend-1.2-10 libebook-1.2-16
  libebook-contacts-1.2-2 libecal-1.2-19 libedata-book-1.2-25 libedata-cal-1.2-28 libedataserver-1.2-22
  libgdm1 libglib2.0-bin libgnome-bluetooth13 libgnome-menu-3-0 libical2 libjavascriptcoregtk-4.0-18
  libmutter0i libnm-glib4 libnm-gtk0 libnm-util2 libnma0 libphonenumber7 libtelepathy-glib0
  libtelepathy-logger3 libxcb-res0 liferea-data mutter-common ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
  gnome-shell-extension-top-icons-plus* gnome-shell-extensions* gnome-user-guide* libgoa-backend-1.0-1*
  libwebkit2gtk-4.0-37* libyelp0* liferea* mutter* network-manager-gnome* tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 17 to remove and 0 not upgraded.
After this operation, 127 MB disk space will be freed.

==> only liferea is not GNOME interal stuff, so NOT fine for Tails 3.11

#15 Updated by hefee 2019-01-06 16:54:39

And finally against Tails 3.12 (tails-amd64-devel-3.12-20190104T1005Z-53094b0ede.iso):

root@amnesia:~# apt purge gir1.2-webkit2-4.0 libwebkit2gtk-4.0-37 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  accountsservice apg cheese-common evolution-data-server
  evolution-data-server-common gir1.2-accountsservice-1.0 gir1.2-gck-1
  gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-gmenu-3.0 gir1.2-gnomebluetooth-1.0
  gir1.2-gweather-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-mutter-3.0
  gir1.2-networkmanager-1.0 gir1.2-nmgtk-1.0 gir1.2-polkit-1.0 gir1.2-soup-2.4
  gir1.2-telepathyglib-0.12 gir1.2-telepathylogger-0.2 gir1.2-upowerglib-1.0
  gnome-backgrounds gnome-control-center-data gnome-session-bin
  gnome-session-common gnome-shell-common libaccountsservice0 libcamel-1.2-59
  libcaribou-gtk3-module libcheese-gtk25 libcheese8 libcolord-gtk1
  libebackend-1.2-10 libebook-1.2-16 libebook-contacts-1.2-2 libecal-1.2-19
  libedata-book-1.2-25 libedata-cal-1.2-28 libedataserver-1.2-22 libgdm1
  libglib2.0-bin libgnome-bluetooth13 libgnome-menu-3-0 libical2
  libjavascriptcoregtk-4.0-18 libmutter0i libnm-glib4 libnm-gtk0 libnm-util2
  libnma0 libphonenumber7 libtelepathy-glib0 libtelepathy-logger3 libxcb-res0
  mutter-common ttf-unifont xwayland yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  gdm3* gir1.2-webkit2-4.0* gnome-control-center* gnome-session* gnome-shell*
  gnome-shell-extension-top-icons-plus* gnome-shell-extensions*
  gnome-user-guide* libgoa-backend-1.0-1* libwebkit2gtk-4.0-37* libyelp0*
  mutter* network-manager-gnome* tails-greeter* yelp* zenity*
0 upgraded, 0 newly installed, 16 to remove and 0 not upgraded.
After this operation, 126 MB disk space will be freed.

#16 Updated by hefee 2019-01-06 16:56:54

  • Assignee changed from hefee to intrigeri
  • QA Check changed from Ready for QA to Pass

liferea will not be available in Tails 3.12 and nothing else it popped up for Tails 3.12.

#17 Updated by intrigeri 2019-01-07 09:00:50

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)

Thanks for double-checking! Case closed, then.

#18 Updated by anonym 2019-01-30 11:53:04

  • Status changed from Fix committed to Resolved