rssowl/RSSOwl

Internal browser on Linux (XULRunner) has many known security issues

genodeftest opened this issue · 1 comments

On Linux (and maybe on Mac OS X) RSSOwl is using XULRunner 1.9.2.

There are many (probably several hundreds) of known security bugs in XULRunner, which includes most security bugs of firefox since XULRunner 1.9.2 has seen its last release. To get a vague image of the number of bugs, have a look at the CVE database and compare it to the release date of XULRunner 1.9.2 3.6.26, January 31st, 2012. Running XULRunner is not supported by Mozilla any more (Source 1, Source 2). This issue can only be fixed by updating to latest versions of SWT (4.6+) and thus Eclipse platform 4.6+ immediately, because only those are using WebKitGtk+ version 2 with which still gets security bug fixes.

Updating to just using WebKitGtk+ 1.x with SWT 4.x won't fix this issue, since WebKitGtk+ is also old and contains hundreds of known security bugs too and will never be fixed completely because of maintenance burden. WebKitGtk+ 2 support on SWT / Eclipse platform 4.6 works, but it is far from being perfect. Release 4.7 of SWT / Eclipse platform should fix the remaining issues

This issue does not affect Windows builds (I think so at least) since they use the Internet Explorer web rendering engine by default. There might be a similiar issue on Windows too.

Suggested resolutions:

  1. Are Mac OS X users affected?
  2. Immediately notify RSSOwl users of this risk and suggest them to use a different RSS viewer which is not suffering these bugs. ¹
  3. Decide whether we can fix this issue or stop supporting Linux. In the latter case we need to make sure every user gets to know this.

¹ I don't know any such RSS reader. Other affected applications which cannot be suggested:

These applications are not as powerful as RSSOwl, but they are at least safe to use:

  • FeedReader uses WebKitGtk+ 2 (²) and is still under heavy development and might not me mature for daily use

² Note that WebKitGtk+ 2 has no support for custom proxy configuration yet. This is because the symbol webkit_web_context_set_proxy_uri is not available through API yet.