Bug 193718 (CVE-2019-11070) - [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy settings
Summary: [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy sett...
Status: RESOLVED FIXED
Alias: CVE-2019-11070
Product: Security
Classification: Unclassified
Component: Security (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: WebKit Security Group
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-01-23 07:44 PST by Michael Catanzaro
Modified: 2019-04-10 13:19 PDT (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2019-01-23 07:44:45 PST 
When removing the web process's access to network proxy settings, I thought to wonder how HLS could use them if HLS accesses the network in the web process. Answer must be that it has never used our proxy settings. This is a major security bug of the sort that requires a CVE at least, to inform users who may have been affected.

Proper solution is to route the HLS implementation through the network process, so our sandbox can disable the web process's ability to access the network altogether.

If we don't have time for that, we could add a GStreamer-specific way to move the proxy information from the UI process to the web process, and keep it in sync when it changes. (The previous method for sending proxy data to the web process is being removed, because it was unused.)

And if we don't have time for THAT, then I dunno, we need to handle it somehow.
Comment 1 Radar WebKit Bug Importer 2019-01-23 07:44:59 PST 
<rdar://problem/47480760>
Comment 2 Philippe Normand 2019-03-05 07:26:28 PST 
See https://bugs.webkit.org/show_bug.cgi?id=189967#c3
Comment 3 Philippe Normand 2019-03-22 08:10:21 PDT 
So what's left to be done for this?
Comment 4 Michael Catanzaro 2019-03-22 09:57:25 PDT 
Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to download stuff. Then nothing more should be required. You've already succeeded at that, right? So we can close this now?

We should also request a CVE, because this is a deanonymization issue.
Comment 5 Philippe Normand 2019-03-22 10:23:06 PDT 
(In reply to Michael Catanzaro from comment #4)
> Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to
> download stuff. 

Looks like it does! A single SoupNetworkSession is created in the NetworkProcess during HLS playback, and souphttpsrc is no longer used for fragments downloading.

> Then nothing more should be required. You've already
> succeeded at that, right? So we can close this now?
> 

I suppose, yes.

> We should also request a CVE, because this is a deanonymization issue.

If you say so :)
Comment 6 Michael Catanzaro 2019-03-24 10:50:42 PDT 
I'll handle the CVE request. Is r243197 the commit that fixed this? Please help me find the commit that fixed it. :)

Note: I wrote some recommendations https://trac.webkit.org/wiki/WebKitGTK/MaintenanceTips#CVERequests about when we should request CVEs.
Comment 7 Philippe Normand 2019-03-24 10:55:42 PDT 
Yes, r243197, which depends on r243140 and r243058
Comment 8 Michael Catanzaro 2019-04-10 09:18:16 PDT 
https://trac.webkit.org/changeset/243197/webkit is the commit that fixed this.