Bug 193718 (CVE-2019-11070)

Summary: [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy settings
Product: Security Reporter: Michael Catanzaro <mcatanzaro>
Component: SecurityAssignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aboya, bfulgham, calvaris, cturner, mcatanzaro, pnormand, product-security, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

Description Michael Catanzaro 2019-01-23 07:44:45 PST 
When removing the web process's access to network proxy settings, I thought to wonder how HLS could use them if HLS accesses the network in the web process. Answer must be that it has never used our proxy settings. This is a major security bug of the sort that requires a CVE at least, to inform users who may have been affected.

Proper solution is to route the HLS implementation through the network process, so our sandbox can disable the web process's ability to access the network altogether.

If we don't have time for that, we could add a GStreamer-specific way to move the proxy information from the UI process to the web process, and keep it in sync when it changes. (The previous method for sending proxy data to the web process is being removed, because it was unused.)

And if we don't have time for THAT, then I dunno, we need to handle it somehow.
Comment 1 Radar WebKit Bug Importer 2019-01-23 07:44:59 PST 
<rdar://problem/47480760>
Comment 2 Philippe Normand 2019-03-05 07:26:28 PST 
See https://bugs.webkit.org/show_bug.cgi?id=189967#c3
Comment 3 Philippe Normand 2019-03-22 08:10:21 PDT 
So what's left to be done for this?
Comment 4 Michael Catanzaro 2019-03-22 09:57:25 PDT 
Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to download stuff. Then nothing more should be required. You've already succeeded at that, right? So we can close this now?

We should also request a CVE, because this is a deanonymization issue.
Comment 5 Philippe Normand 2019-03-22 10:23:06 PDT 
(In reply to Michael Catanzaro from comment #4)
> Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to
> download stuff. 

Looks like it does! A single SoupNetworkSession is created in the NetworkProcess during HLS playback, and souphttpsrc is no longer used for fragments downloading.

> Then nothing more should be required. You've already
> succeeded at that, right? So we can close this now?
> 

I suppose, yes.

> We should also request a CVE, because this is a deanonymization issue.

If you say so :)
Comment 6 Michael Catanzaro 2019-03-24 10:50:42 PDT 
I'll handle the CVE request. Is r243197 the commit that fixed this? Please help me find the commit that fixed it. :)

Note: I wrote some recommendations https://trac.webkit.org/wiki/WebKitGTK/MaintenanceTips#CVERequests about when we should request CVEs.
Comment 7 Philippe Normand 2019-03-24 10:55:42 PDT 
Yes, r243197, which depends on r243140 and r243058
Comment 8 Michael Catanzaro 2019-04-10 09:18:16 PDT 
https://trac.webkit.org/changeset/243197/webkit is the commit that fixed this.