Ubuntu
wpewebkit package

Please remove wpewebkit and block syncs from Debian

Bug #1981592 reported by Marc Deslauriers
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cog (Ubuntu)
Fix Released
Undecided
Unassigned
gst-plugins-bad1.0 (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
wpewebkit (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The wpewebkit package contains a whole webkit browser engine. It is currently not used by anything of substance in Ubuntu:

$ reverse-depends src:wpewebkit
Reverse-Depends
* cog (for libwpewebkit-1.1-0)
* gstreamer1.0-wpe (for libwpewebkit-1.1-0)

cog is a single-window browser for embedded devices that is not used by anything else in the archive.
gstreamer1.0-wpe is a plugin based on wpewebkit that is not used by anything else in the archive.

Using this browser engine on the Internet is very risky as it it not currently maintained and contains hundreds of security flaws, and maintaining it requires a tremendous amount of work.

As such, I don't believe this package is suitable for the Ubuntu archive.

I recommend we disable the build in gstreamer and remove both cog and wpewebkit, and put on block on syncs from Debian.

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :

Apologies if this is a silly question, but is it only not maintained in Ubuntu? A quick look at Debian Salsa reveals that webkit, wpewebkit, and cog all are actively maintained in Debian. Both are also actively developed on GitHub.

https://salsa.debian.org/webkit-team/webkit webkit and wpewebkit maintenance
https://salsa.debian.org/berto/cog cog maintenance
https://github.com/WebPlatformForEmbedded/WPEWebKit wpewebkit development
https://github.com/Igalia/cog cog development

There may be legitimate uses for an embedded web browser in a non-Internet-connected environment, which cog and wpewebkit would provide (for instance, a clock in/clock out system or accessing company-provided web apps from lightweight devices). What if rather than removing it from Ubuntu entirely, we simply synced it from Debian to provide bug and security fixes in newer versions of Ubuntu, and put a warning in the package description that the package is not routinely updated and its use should be limited to known-secure environments, rather than use on the Web?

If this is a ridiculous idea, feel free to ignore me - I am a newbie in the Ubuntu development world (still working on getting official Lubuntu and Ubuntu membership) so this might be silly.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, wpewebkit as a project is under active development, but the package in Ubuntu isn't currently being updated in a timely manner.

It requires significant engineering time to maintain webkit2gtk in Ubuntu right now, and even so we are unable to maintain it for the life of the Ubuntu release because of new toolchain requirements that come along with new major upstream versions. For example, we are no longer able to provide webkit2gtk updates for Bionic because of new requirements.

A similar investment would be needed to ensure wpewebkit is properly maintained in Ubuntu, and there is no indication that this package is being used by a substantial number of users.

While we could try and sync wpewebkit from Debian, this is not a long-term solution to ensuring that users of this package can safely use it to process untrusted data.

A rapidly-changing browser engine such as wpewebkit is more suited to be shipped as a Snap, where it can be updated rapidly along with its required dependencies.

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :

I like the Snap idea, as that would permit cog and wpewebkit to be used in Ubuntu Core, which is the platform that people would likely use it on if creating embedded devices.

Revision history for this message
Spyros Seimenis (sespiros) wrote :

While doing a security update for wpewebkit for focal and jammy, I realized that cog, the included browser doesn't work in a default configuration even for the versions of the package that are already in the archive.

[Focal]:
sespiros@sec-focal-amd64:~$ cog https://www.google.com
Segmentation fault (core dumped)

[Jammy]:
sespiros@sec-jammy-amd64:~$ cog https://www.google.com

(cog:1994): Cog-WARNING **: 16:48:05.376: Cannot create platform: Could not find an usable platform module
wpe: could not load the impl library. Is there any backend installed?: libWPEBackend-default.so: cannot open shared object file: No such file or directory
Aborted (core dumped)

I also tried:

[Focal]:
sespiros@sec-focal-amd64:~$ sudo apt install libwpebackend-fdo-1.0-1:
...
sespiros@sec-focal-amd64:~$ ln -s /usr/lib/x86_64-linux-gnu/libWPEBackend-fdo-1.0.so libWPEBackend-default.so
...
sespiros@sec-focal-amd64:~$ LD_LIBRARY_PATH=. cog -P fdo https://www.google.com
Cog-Message: 16:56:03.685: <https://www.google.com/> Load started.
Cog-Message: 16:56:04.003: <https://www.google.com/> Loading...
Segmentation fault (core dumped)

[Jammy]:
sespiros@sec-jammy-amd64:~$ sudo apt install libwpebackend-fdo-1.0-1:
...
sespiros@sec-jammy-amd64:~$ ln -s /usr/lib/x86_64-linux-gnu/libWPEBackend-fdo-1.0.so libWPEBackend-default.so
...
sespiros@sec-jammy-amd64:~$ LD_LIBRARY_PATH=. cog https://www.google.com

(cog:3758): Cog-WARNING **: 16:59:45.514: Cannot create platform: Could not find an usable platform module

** (cog:3758): CRITICAL **: 16:59:45.515: WebKitWebViewBackend* webkit_web_view_backend_new(wpe_view_backend*, GDestroyNotify, gpointer): assertion 'backend' failed

(cog:3758): Cog-ERROR **: 16:59:45.515: Could not instantiate any WPE backend.
Trace/breakpoint trap (core dumped)

https://snapcraft.io/wpe-webkit-mir-kiosk seems to be a snap which is used by the Ubuntu Frame team. I was able to run that but it's not depending on the debs and it uses older versions of wpewebkit,wpebackend-fdo and libwpe (https://gitlab.com/glancr/wpe-webkit-snap/-/blob/main/snap/snapcraft.yaml#L127).

I haven't debugged further than that but I am suspecting that the current set of packages in the archive don't work together. Suggestions welcome.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

From the Desktop Team, I'm ok with wpewebkit being removed from Kinetic. Thank you for the review.

Revision history for this message
Steve Langasek (vorlon) wrote :

Someone needs to update gst-plugins-bad1.0 to not depend on this before the removal can proceed.

Changed in wpewebkit (Ubuntu):
status: New → Incomplete
Marc Deslauriers (mdeslaur)
Changed in gst-plugins-bad1.0 (Ubuntu):
status: New → Fix Committed
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gst-plugins-bad1.0 - 1.20.3-1ubuntu6

---------------
gst-plugins-bad1.0 (1.20.3-1ubuntu6) kinetic; urgency=medium

  * No-change rebuild against opencv

 -- Marc Deslauriers <email address hidden> Thu, 25 Aug 2022 10:50:42 -0400

Changed in gst-plugins-bad1.0 (Ubuntu):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128)
Changed in wpewebkit (Ubuntu):
status: Incomplete → New
Revision history for this message
Steve Langasek (vorlon) wrote :

Removing packages from kinetic:
 cog 0.14.0-1 in kinetic
  cog 0.14.0-1 in kinetic amd64
  cog 0.14.0-1 in kinetic arm64
  cog 0.14.0-1 in kinetic armhf
  cog 0.14.0-1 in kinetic ppc64el
  cog 0.14.0-1 in kinetic riscv64
  cog 0.14.0-1 in kinetic s390x
Comment: Depends on wpewebkit which is a security concern; no reverse-dependencies. LP: #1981592
1 package successfully removed.

Changed in cog (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Removing packages from kinetic:
 wpewebkit 2.36.6-1 in kinetic
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic amd64
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic arm64
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic armhf
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic i386
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic ppc64el
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic riscv64
  libwpewebkit-1.0-doc 2.36.6-1 in kinetic s390x
  libwpewebkit-1.1-0 2.36.6-1 in kinetic amd64
  libwpewebkit-1.1-0 2.36.6-1 in kinetic arm64
  libwpewebkit-1.1-0 2.36.6-1 in kinetic armhf
  libwpewebkit-1.1-0 2.36.6-1 in kinetic ppc64el
  libwpewebkit-1.1-0 2.36.6-1 in kinetic riscv64
  libwpewebkit-1.1-0 2.36.6-1 in kinetic s390x
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic amd64
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic arm64
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic armhf
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic ppc64el
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic riscv64
  libwpewebkit-1.1-dev 2.36.6-1 in kinetic s390x
  wpewebkit-driver 2.36.6-1 in kinetic amd64
  wpewebkit-driver 2.36.6-1 in kinetic arm64
  wpewebkit-driver 2.36.6-1 in kinetic armhf
  wpewebkit-driver 2.36.6-1 in kinetic ppc64el
  wpewebkit-driver 2.36.6-1 in kinetic riscv64
  wpewebkit-driver 2.36.6-1 in kinetic s390x
Comment: Unmaintained web engine, security concerns; LP: #1981592
1 package successfully removed.

Changed in wpewebkit (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

(and blacklisted)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.