I just learned about another new special-purpose web browser for running web apps, and was curious to see if using a browser distributed via Flatpak meant that I would be using something that was lagging in security updates (spoiler: it is).
This got me wondering: How quickly do updates for critical vulnerabilities reach users of free software operating systems?
(The WebKit rendering engine, which Apple created by forking the KHTML engine from the KDE Project’s Konqueror browser in 2005, is used in all of Apple’s web browsing products today. The WebKitGTK project maintains an embeddable library version of it, which I believe is by far the most popular rendering engine for alternative web browsers on free software operating systems today.)
Apple’s advisories about the issue say:
Description: A use after free issue was addressed with improved memory management.
Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Apple announces the vulnerability and publishes updates for their operating systems: HT213091, HT213092, and HT213093. Apple did not say when they were notified of the vulnerability. It is not clear to me when Apple put the fix in git, but I believe it may have been on this day (without identifying it as the fix, presumably to avoid making it easier for more attackers to independently develop exploits for it).
February 17
The WebKitGTK project announces the vulnerability and releases v2.34.6 with the fix.
Ubuntu publishes updated packages for their 20.04 LTS and 21.10 releases with the fix; it is not clear to me if they became available to users at this time.
Debian accepts the new upstream release with the fix, but only into unstable so far
Fedora has updated versions for Fedora 34 and Fedora 35 “submitted for testing”.
Fedora has updates for Fedora 34
and Fedora 35 “pushed to testing”, and the Fedora 35 update says it “can be pushed to stable”.
February 19
Alpine Linux commits the upgrade to the fixed version (the “build time” listed here and commit time are identical; presumably the package became available to users at this time or soon thereafter)
SUSE publishes SUSE-SU-2022:0705-1 addressing this and numerous other vulnerabilities in more of their enterprise distributions, and openSUSE-SU-2022:0705-1 addressing them in openSUSE
SUSE publishes SUSE-SU-2022:0811-1 addressing this and numerous other vulnerabilities in still more of their enterprise distributions
Today, March 19
The org.gnome.Platform//41 runtime which Flatpak applications on my computer are getting their webkit2gtk from remains vulnerable (that is the current commit at the time of this writing; you can click these links to see if the GNOME 40 and 41 still have the vulnerable version 2.34.5 at the time you’re reading this).
Thanks, I edited the post to add Guix and Nix to the timeline.
It’s worth noting that Guix also packages WPE WebKit (another embeddable version of WebKit, which shares a version numbering scheme with WebKitGTK) from the same .scm file and for some reason has still not updated that (despite having just upgraded it the previous month to address another security problem).
Thanks, I edited the post to add Guix and Nix to the timeline.
It’s worth noting that Guix also packages WPE WebKit (another embeddable version of WebKit, which shares a version numbering scheme with WebKitGTK) from the same .scm file and for some reason has still not updated that (despite having just upgraded it the previous month to address another security problem).
(WPE WebKit is used far less than WebKitGTK on desktop OSes, but it can be used for things like webkit overlays in gstreamer pipelines…)