RESOLVED FIXED 193718
CVE-2019-11070 [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy settings
https://bugs.webkit.org/show_bug.cgi?id=193718
Summary [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy sett...
Michael Catanzaro
Reported 2019-01-23 07:44:45 PST
When removing the web process's access to network proxy settings, I thought to wonder how HLS could use them if HLS accesses the network in the web process. Answer must be that it has never used our proxy settings. This is a major security bug of the sort that requires a CVE at least, to inform users who may have been affected. Proper solution is to route the HLS implementation through the network process, so our sandbox can disable the web process's ability to access the network altogether. If we don't have time for that, we could add a GStreamer-specific way to move the proxy information from the UI process to the web process, and keep it in sync when it changes. (The previous method for sending proxy data to the web process is being removed, because it was unused.) And if we don't have time for THAT, then I dunno, we need to handle it somehow.
Attachments
Radar WebKit Bug Importer
Comment 1 2019-01-23 07:44:59 PST
Philippe Normand
Comment 2 2019-03-05 07:26:28 PST
Philippe Normand
Comment 3 2019-03-22 08:10:21 PDT
So what's left to be done for this?
Michael Catanzaro
Comment 4 2019-03-22 09:57:25 PDT
Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to download stuff. Then nothing more should be required. You've already succeeded at that, right? So we can close this now? We should also request a CVE, because this is a deanonymization issue.
Philippe Normand
Comment 5 2019-03-22 10:23:06 PDT
(In reply to Michael Catanzaro from comment #4) > Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to > download stuff. Looks like it does! A single SoupNetworkSession is created in the NetworkProcess during HLS playback, and souphttpsrc is no longer used for fragments downloading. > Then nothing more should be required. You've already > succeeded at that, right? So we can close this now? > I suppose, yes. > We should also request a CVE, because this is a deanonymization issue. If you say so :)
Michael Catanzaro
Comment 6 2019-03-24 10:50:42 PDT
I'll handle the CVE request. Is r243197 the commit that fixed this? Please help me find the commit that fixed it. :) Note: I wrote some recommendations https://trac.webkit.org/wiki/WebKitGTK/MaintenanceTips#CVERequests about when we should request CVEs.
Philippe Normand
Comment 7 2019-03-24 10:55:42 PDT
Yes, r243197, which depends on r243140 and r243058
Michael Catanzaro
Comment 8 2019-04-10 09:18:16 PDT
Note You need to log in before you can comment on or make changes to this bug.