how quickly do distributors ship fixes to publicly-known remotely-exploitable bugs? [OC]

Arthur Besse to Open Source@lemmy.ml
•
edit-2
3Y
•

I just learned about another new special-purpose web browser for running web apps, and was curious to see if using a browser distributed via Flatpak meant that I would be using something that was lagging in security updates (spoiler: it is).

This got me wondering: How quickly do updates for critical vulnerabilities reach users of free software operating systems?

I decided to have a look for the most recent critical bug WebKitGTK, CVE-2022-22620/WSA-2022-0003.

(The WebKit rendering engine, which Apple created by forking the KHTML engine from the KDE Project’s Konqueror browser in 2005, is used in all of Apple’s web browsing products today. The WebKitGTK project maintains an embeddable library version of it, which I believe is by far the most popular rendering engine for alternative web browsers on free software operating systems today.)

Apple’s advisories about the issue say:

Description: A use after free issue was addressed with improved memory management.
Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This bug got a fair amount of press:

So, how did WebKitGTK distributors do?

Timeline

February 10
- Apple announces the vulnerability and publishes updates for their operating systems: HT213091, HT213092, and HT213093. Apple did not say when they were notified of the vulnerability. It is not clear to me when Apple put the fix in git, but I believe it may have been on this day (without identifying it as the fix, presumably to avoid making it easier for more attackers to independently develop exploits for it).

February 17
- The WebKitGTK project announces the vulnerability and releases v2.34.6 with the fix.
- Ubuntu publishes updated packages for their 20.04 LTS and 21.10 releases with the fix; it is not clear to me if they became available to users at this time.
- Debian accepts the new upstream release with the fix, but only into unstable so far
- Fedora has updated versions for Fedora 34 and Fedora 35 “submitted for testing”.
- OpenBSD ports commits the fix
- ArchLinux commits the fix

February 18
- NixOS commits the fix
- GNU Guix commits the fix
- Fedora has updates for Fedora 34 and Fedora 35 “pushed to testing”, and the Fedora 35 update says it “can be pushed to stable”.

February 19
- Alpine Linux commits the upgrade to the fixed version (the “build time” listed here and commit time are identical; presumably the package became available to users at this time or soon thereafter)
- Fedora 35 update pushed to stable
- Debian pushes the update to stable and oldstable
- Debian publishes advisory DSA-5083

February 28
- Ubuntu publishes advisory USN-5306-1. (Again, I cannot discern if the updates were actually available to users before this date.)

March 3
- SUSE publishes SUSE-SU-2022:0703-1 addressing this and numerous other vulnerabilities in many of their enterprise distributions

March 4
- Fedora 34 update pushed to stable
- SUSE publishes SUSE-SU-2022:0705-1 addressing this and numerous other vulnerabilities in more of their enterprise distributions, and openSUSE-SU-2022:0705-1 addressing them in openSUSE

March 5
- FreeBSD ports gets the update

March 11
- SUSE publishes SUSE-SU-2022:0811-1 addressing this and numerous other vulnerabilities in still more of their enterprise distributions

Today, March 19
- The org.gnome.Platform//41 runtime which Flatpak applications on my computer are getting their webkit2gtk from remains vulnerable (that is the current commit at the time of this writing; you can click these links to see if the GNOME 40 and 41 still have the vulnerable version 2.34.5 at the time you’re reading this).