SECURITY: remove obsolet libwebkitgtk1 and libwebkitgtk3

libwebkitgtk-1.0-0 and libwebkitgtk-3.0-0

This affects Ubuntu MATE Welcome, I'll quote @Wimpy on this one:

There are security concerns regarding WebKit and how it is updated, or not, in distributions.

On WebKit Security Updates – Michael Catanzaro's Blog

Having spoken with the Ubuntu Security team webkit2gtk is now in the main repository, therefore subject to security updates.

Ubuntu MATE Welcome needs migrating to gir1.2-webkit2-4.0, which will mean no more backports for Trusty or Wily.


For 16.04, we'll be migrating to WebKit2, as 16.04 currently is the only version that have a package for WebKit2. Unfortunately there are no packages for 15.10 or below, so they're stuck with the old version for now (forever?). :frowning:

1 Like

A quote from your link:

> WebKitGTK+ releases regular security updates upstream. It is safe to use so long as you apply the updates.

As long as people do regular updates it should be okay or am I reading this wrong?. :smiley:

Upstream is the main project itself - so the WebKitGTK+ project is regularly updated. The problem is the lack of updated packages for Ubuntu, which means no fixes for end users.

This quote should clarify it:

Ubuntu releases WebKitGTK+ updates somewhat inconsistently. For instance, Ubuntu 14.04 came with WebKitGTK+ 2.4.0. 2.4.8 is available via updates, but even though 2.4.9 was released upstream over eight months ago, it has not yet been released as an update for Ubuntu 14.04.

By comparison, Ubuntu 15.10 (the latest release) shipped with WebKitGTK+ 2.8.5, which has never been updated; it’s affected by about 40 vulnerabilities fixed in the latest upstream release. Ubuntu organizes its software into various repositories, and provides security support only to software in the main repository. This version of WebKitGTK+ is in Ubuntu’s “universe” repository, not in main, so it is excluded from security support.

Now that webkit2gtk is in the main repositories for Ubuntu 16.04, this library can be kept updated so WebKit-based applications (like Welcome) are immune to the latest vulnerabilities.

1 Like

No it is not okay, because many apps havent updated to webkit2(different api!)
Banshee, geary, empathy, evolution, gnucash, … still use webkit1 (webkit1gtk ==webkit1 with gtk2 binding and webkit1gtk3 ==webkit1 with gtk3 binding. AND these apps are still vulnerable, because webkitgtk developers dropped support for webkit1!

Ubuntu mate 16.04 beta2 was released and nothing has changed. Default cd image still includes
libwebkitgtk-1.0-0:amd64 2.4.10-0ubuntu1
libwebkitgtk-1.0-common 2.4.10-0ubuntu1
libwebkitgtk-3.0-0:amd64 2.4.10-0ubuntu1
libwebkitgtk-3.0-common 2.4.10-0ubuntu1

1 Like

Some default applications still depend on these packages. Welcome doesn’t rely on these, but now there’s a problem that newer WebKit versions may not work on PowerPC. :frowning:

ubuntu mate welcome depends on gir1.2-webkit-3.0, which depends on libwebkitgtk-3.0-0
welcome program should be ported to gir1.2-webkit2-4.0

Good news, Welcome has been ported to WebKit2 for 16.10. :thumbsup:


So what about 16.04?

Good catch. :wink: Originally that was the plan, but due to some stability problems and glitches (namely, it didn’t work properly on the Raspberry Pi or PowerPC), we decided to stick with WebKit 1 for the LTS. :neutral_face:

Does it basically mean that Welcome on 16.04 (and also Banshee et al. who wouldn’t have their issues adressed anyway) are basically not safe to use?

To be honest, the whole “embed a browser everywhere” thing already caused a lot of trouble on Windows.
I’d have hoped the Linux community would have learned from the mistakes made over there, but instead we apparently get stuck with insecure components in brand new LTS distros that won’t get patched during their supported lifetime.

I also noticed that Chromium is in “universe”, meaning it probably won’t get updated either - this is a no-go for a browser.


For Welcome, arguably it is safe – as the files are read locally, and do not download anything from a remote server. Unless someone gained root and intentionally modified Welcome’s files, a security breech is virtually impossible. :no_entry: Same for any scripts and programs really.

Web apps are gaining popularity, so I see web technologies as no mistake. The problem lies with insecure libraries that do not receive updates packaged by Ubuntu despite having newer versions upstream.

As mentioned at the start of this topic, the problem is mainly due to the lack of updates for that library. WebKit1 and WebKit2 are different APIs, the former now being deprecated and it’s time to switch. :frowning:


So yeah, I’m trusting that Welcome is not affected by this.

For those of us who nose off while reading about web-thingies, does this mean some programs installed in 16.04 are gonna stay insecure for the whole 16.04 LTS cycle?

And does anyone have a comprehensive lists of programs using libwebkitgtk-* or a command line to check what programs are using it?

Furthermore, I’ve read on the article about the certificate validation problem (which basically means some paths into the applications that are supposed to be trusted are suddenly not trustworthy), is there a list of the other vulnerabilities somewhere? [Edit] Found the list: and yeah, there’s remote code execution vulnerabilities in there.