[MIR] wpebackend-fdo

Bug #1973033 reported by Sebastien Bacher
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wpebackend-fdo (Ubuntu)
Fix Released
High
Sebastien Bacher
Jammy
Fix Released
High
Unassigned

Bug Description

[Availability]
The package wpebackend-fdo is already in Ubuntu universe.
The package wpebackend-fdo build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/wpebackend-fdo

[Rationale]
- The package wpebackend-fdo is required in Ubuntu main as a dependency of webkit2gtk. The dependency is optional but the default upstream and in other distributions and the only one upstream is really testing (turned out some of the issues we had previous cycle are because we aren't using the default backend, which also made a lower priority for upstream to work on fixes). Upstream is also planning to deprecate the nonwpe codepath.

We might also need to build with that backend on older series at some point due to the previous statement.

- The package wpebackend-fdo is required in Ubuntu main no later than aug 25 due to feature freeze

[Security]
- No CVEs/security issues in this software in the past

- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Ubuntu and Debian and has currently no reports
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=wpebackend-fdo
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a test at build time because upstream doesn't have one. That's something we need to work on.
BLOCKER ^

- The package does not run an autopkgtest because upstream has no test and Debian didn't have some either. If webkit2gtk is built with it as it default backend then the webkitgtk autopkgtests are going to exercise wpe, is that enough?
BLOCKER? ^

We need to work on the testing story, backup plan is to write some manual test plans.

[Quality assurance - packaging]
- debian/watch is present and works

-- There is only one lintian warning

# lintian --pedantic
P: wpebackend-fdo source: package-uses-old-debhelper-compat-version 12

12 isn't that old but we will work on updating to 13

- There is one lintian overrides for having the .so distributed in the library rather than the dev because browsers try to load the .so and it should be available.

The change was added in Debian to
https://salsa.debian.org/webkit-team/wpebackend-fdo/-/commit/07a67e57

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, link to d/rules https://salsa.debian.org/webkit-team/wpebackend-fdo/-/blob/master/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
  is at https://bugs.launchpad.net/ubuntu/+source/libwpe/+bug/1973031

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Owning Team will be desktop-packages
- Team is not yet, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code

- The package successfully built during the most recent test rebuild

[Background information]
The Package description explains the package well
Upstream Name is wpebackend-fdo
Link to upstream project https://github.com/Igalia/WPEBackend-fdo

Tags: sec-1034
Revision history for this message
Sebastien Bacher (seb128) wrote :

The testing story needs work but we are putting in the queue already since that should block review, especially if that needs input from the security team as a future dependency of webkitgtk

Changed in wpebackend-fdo (Ubuntu):
importance: Undecided → High
description: updated
Changed in wpebackend-fdo (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

MIR team ACK under the constraint to have some answer on the weak testing story, aligning it with the wpe library seems to be the best course of action I think
This does need a security review, so I'll assign ubuntu-security.

Notes:
Recommended TODOs:
To paraphrase Christian:
- You already know the testing is weak, the higher level test in webkit2gtk
  seems fine for autopkgtest, but is there something we could do at the lower
  level in the backend itself for build time checks?

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use lib*v8 directly
- does not open a port/socket
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
Dependent of webkit, parse web content. Requesting thus a security review.

[Common blockers]
OK:
- does not FTBFS currently
- no new python2 dependency

Problems:
- Testing story is weak both during build and autopktests tests, look at the summary and recommended TODOs.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- not part of the UI for extra checks
- no translation present, but none needed for this case

Problems:
Parts of webkit-gtk, see above for security review

Changed in wpebackend-fdo (Ubuntu):
assignee: Didier Roche (didrocks) → Ubuntu Security Team (ubuntu-security)
tags: added: sec-1034
Revision history for this message
Sebastien Bacher (seb128) wrote :

Christian changed the test requirement on bug #1973031 to be a recommended

> I've ended up with "recommended" as high level tests are done as
> part of higher level autopkgtest. But consider at least trying to add at
> least some unit-tests at build time rather strongly recommended.

I'm going to assume it's the same here. I started by upstreaming a request on https://github.com/Igalia/WPEBackend-fdo/issues/174

Revision history for this message
Spyros Seimenis (sespiros) wrote :

I reviewed wpebackend-fdo 1.12.0-1 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

wpebackend-fdo is the reference implementation of the base rendering backend design
of WPE WebKit, a port of WebKit. It is also used by WebKitGTK to implement hardware-accelerated
rendering under Wayland.

- CVE History:
  - No CVEs in this specific backend implementation
- Build-Depends?
  - No encryption or networking build dependencies
- pre/post inst/rm scripts?
  - No
- init scripts?
  - No
- systemd units?
  - No
- dbus services?
  - No
- setuid binaries?
  - No
- binaries in PATH?
  - No
- sudo fragments?
  - No
- polkit files?
  - No
- udev rules?
  - No
- unit tests / autopkgtests?
  - No autopkgtests
  - No testsuite.
- cron jobs?
  - No
- Build logs:
  - WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in future releases of meson.
         See also: https://github.com/mesonbuild/meson/issues/9300
  - NOTICE: Future-deprecated features used:
     * 0.56.0: {'dependency.get_pkgconfig_variable'}
  - dpkg-gencontrol: warning: Depends field of package libwpebackend-fdo-1.0-dev: substitution variable ${shlibs:Depends} used, but is not defined
  - No Lintian errors/warnings
- Processes spawned?
  - No
- Memory management?
  - Defensive bound checking when allocations are happening.
  - No testing suite (i.e new dma-buf pool for mem allocations which is newly introduced is untested).
- File IO?
  - No
- Logging?
  - No issues
- Environment variable usage?
  - No
- Use of privileged functions?
  - No
- Use of cryptography / random number sources etc?
  - No
- Use of temp files?
  - No
- Use of networking?
  - No
- Use of WebKit?
  - No. Although related.
- Use of PolicyKit?
  - No

- Any significant cppcheck results?
  - No
- Any significant Coverity results?
  - SEE coverity.txt
- Any significant shellcheck results?
  - No
- Any significant bandit results?
  - No

Development is active with frequent releases but it follows a release model similar
to wpewebkit (and webkitgtk) which has been historically difficult to maintain, from
the security team's point of view, due to their release model (minor version releases
with limited information related to security only issues). Since this is a relatively
small codebase and no major issues have been found during code review I am inclined to
ACK it. The lack of a test suite (and autopkgtests) though is going to make testing
difficult.

Security team ACK for promoting wpebackend-fdo to main.

Changed in wpebackend-fdo (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in wpebackend-fdo (Ubuntu):
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding tests depends on upstream, thanks for filing it there.
This should be fine to be promoted now, once subscribed by the team.

Assigning seb128 to subscribe (and to promote then)

Revision history for this message
Lukas Märdian (slyon) wrote :

@seb128: This is ready for promotion, once it is added as a dependency and got a team subscriber.

Changed in wpebackend-fdo (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Revision history for this message
Sebastien Bacher (seb128) wrote :

~desktop-packages has been subscribed and https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-1ubuntu1 uploaded

Changed in wpebackend-fdo (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

$ ./change-override -c main -S wpebackend-fdo
Override component to main
wpebackend-fdo 1.12.0-1 in kinetic: universe/misc -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic amd64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic arm64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic armhf: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic i386: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic ppc64el: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic riscv64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.0-1 in kinetic s390x: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic amd64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic arm64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic armhf: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic i386: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic ppc64el: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic riscv64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.0-1 in kinetic s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
15 publications overridden.

Changed in wpebackend-fdo (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

Targetting 22.04 there now as we would like to build webkit2gtk with wpe support enabled also in the LTS since that's the codepath which has the best upstream support and it would resolve some existing issues we have from building without it.

@MIR team, could you review the request of promoting the package also in 22.04? The version available in 22.04 is slightly older than the one which got promoted in kinetic but we could try to SRU first the newer version if that's preferred.
There was not packaging change between the concerned version that should make a difference on the MIR review outcome.

Speaking with Marc from the security team who is usually doing the webkitgtk security update he was on board with the idea of building webkitgtk with wpe going forward.

Revision history for this message
Sebastien Bacher (seb128) wrote :

In fact upstream is sort of forcing us to go that way now

https://webkitgtk.org/2022/11/11/webkitgtk2.39.1-released.html
> Remove internal nested wayland compositor making libwpe mandatory when building with wayland enabled.

if we want to keep rolling newer webkitgtk version as security updates we will need to build with wpe

Changed in wpebackend-fdo (Ubuntu Jammy):
importance: Undecided → High
Lukas Märdian (slyon)
Changed in wpebackend-fdo (Ubuntu Jammy):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :

Retroactive review for package: src:wpebackend-fdo (for Jammy LTS, 1.12.0-1)

[Summary]
src:wpebackend-fdo has already been promoted to "main" in Kinetic+ and the changes between v1.12.0 (Jammy) to v.1.14.0 (Kinetic+) are minimal (see #2). I'll build upon @didrocks' original MIR review (see comment #2) and double-check the current state. If not state otherwise, the review from comment #2 still holds true for this older version in Jammy LTS.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review (again)

List of specific binary packages to be promoted to main: libwpebackend-fdo-1.0-1
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 This does not need a security review again, it was already done for v1.12.0-1 (see comment #4), also the changes from 1.12.0..1.14.0 are minimal (and requested to be SRUed, see #2). The higher-level src:webkit2gtk component, making use of this backend, is also using the same v2.38.3 upstream version in all current series (Focal++). No new CVEs or relevant bug reports, as of 2023-01-10.

Required TODOs:
#1 libwpe Jammy MIR dependency (LP: #1973031)
#2 please SRU the two fixes/commits included in 1.14.0 back into Jammy (fixing a double-free and a SIGSEV), as those could have security implications. Other than that, I see no relevant difference (packaging or upstream alike): https://github.com/Igalia/WPEBackend-fdo/compare/1.12.0...1.14.0
#3 please provide links to the higher-level component test, covering wpebackend-fdo or provide some autopkgtests or manual testing story (see #4)

Recommended TODOs:
#4 Improve the testing story (is there anything quick that we could do ourselves)?
  - buildtime/unit-test have been requested upstream, but no activity so far: https://github.com/Igalia/WPEBackend-fdo/issues/174
  - runtime/integration-tests are supposed to be covered by the src:webkit2gkt higher-level component, but I couldn't find anything at https://autopkgtest.ubuntu.com/packages/webkit2gkt (neither for src:wpebackend-fdo, nor src:libwpe and none of those have buildtime/unit-test...)

Changed in wpebackend-fdo (Ubuntu Jammy):
status: New → Incomplete
assignee: Lukas Märdian (slyon) → nobody
Revision history for this message
Sebastien Bacher (seb128) wrote :

> #2 please SRU the two fixes/commits included in 1.14.0 back into Jammy (fixing a double-free and a SIGSEV), as those could have security implications.

SRU bug #2015543 uploaded now, which is an update to 1.12.1 which basically includes exactly those changes

> #3 please provide links to the higher-level component test, covering wpebackend-fdo or provide some autopkgtests or manual testing story (see #4)

We don't have something better to provide atm than the webkitgtk autopkgtests once it will be built using wpe. I think we are blocked at this point since we don't have the resources to provide improvements in the near future.

The security team wants to roll out updates to a NEWer series to address some security vulnerability though. I will let them and you decide whether a weaker-than-wanted testing story is a strong enough reason to hold on CVE fixes for Ubuntu.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Setting back to New, the required todo #1 (libwpe depends needed to be approved) and #2 (SRUing upstream fixes) have been handled, as stated previously #3 (the testing story) isn't something we will be able to easily do. I will let the MIR and security story sort out if that point is worth blocking webkitgtk security updates

Changed in wpebackend-fdo (Ubuntu Jammy):
status: Incomplete → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

As part of the wekkit2gtk security updates, the security team now has a hard requirement of backporting the versions of wpebackend-fdo and libwpe from lunar to kinetic and earlier releases. This also requires these dependencies to be promoted to main in focal and jammy.

While additional tests inside wpebackend-fdo and libwpe would be ideal, there aren't any available, and these dependencies are only used by the webkit2gtk package (and a couple of related now-unused packages like cog and wpewebkit).

The security team does perform our usual testing and QA on webkit2gtk updates, which includes the functionality provided by wpebackend-fdo and libwpe.

I have asked an archive admin, on behalf of the security team, to adjust the overrides on focal and jammy to promote those two packages to main so we can provide webkit2gtk security updates.

Revision history for this message
Sebastien Bacher (seb128) wrote :

$ ./change-override -c main -s jammy-updates -S wpebackend-fdo
Override component to main
wpebackend-fdo 1.12.1-0ubuntu1 in jammy: universe/misc -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy amd64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy arm64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy armhf: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy i386: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy ppc64el: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy riscv64: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-1 1.12.1-0ubuntu1 in jammy s390x: universe/libs/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy amd64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy arm64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy armhf: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy i386: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy ppc64el: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy riscv64: universe/libdevel/optional/100% -> main
libwpebackend-fdo-1.0-dev 1.12.1-0ubuntu1 in jammy s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
15 publications overridden.

Changed in wpebackend-fdo (Ubuntu Jammy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.