Hello,

I have just found this interesting software.

I am concerned about the Spectre and Meltdown vulnerabilities and the possibility for mischief they create for JavaScript coming from websites (as demonstrated in PoC by security experts). So I am browsing the web with JS completely disabled. Still I have been looking for a way to use maps without JS.

My question is: Does KDE Marble execute any JavaScript? (i.e. is it safe for what I am looking for)

Well, disabling javascript isn't much of a solution for a couple of reasons: First it only turns off one attack vector, but there are potentially other ways that those attacks can come into play, so what's really needed is OS and/or Browser based security to prevent problems.
Second, javascript is what makes a lot of web sites work; without it all you can get is static content. Perhaps you may be fine with that, but just know that you will be missing a lot of functionality on many sites.

That said I would guess that Marble does not execute (potentially malicious) javascript pulled from the internet, but most likely just downloads the mapping data and uses its own code (possibly javascript, but bundled with the application) for its functionality.

Of course disabling JS is not a solution. There is no software solution for a hardware issue. There are only preventive measures and mitigations, that's all we have for the moment.

That said I would guess that Marble does not execute (potentially malicious) javascript pulled from the internet, but most likely just downloads the mapping data and uses its own code (possibly javascript, but bundled with the application) for its functionality.

How can I get something better than a guess? I need to make sure that no externally downloaded JS code is executed. That's why I asked here. If you know a better place to ask please share.

Well, this is a good place to ask. I'm just not the best to fully answer that question to the degree you are requiring (just trying to be helpful and give what I thought to be a good enough answer).

A couple of ideas until someone else can provide the complete answer include checking the code itself (https://github.com/KDE/marble), or using a network monitoring tool to check the network calls made by it.

airdrik wrote:A couple of ideas until someone else can provide the complete answer include checking the code itself (https://github.com/KDE/marble),

I already had a quick look at the GitHub repo before opening this thread. I searched for "javascript" but I couldn't get any clear confirmation from what I found, so I decided to ask here.

or using a network monitoring tool to check the network calls made by it.

How would a network monitoring tool show that remote JS is downloaded and executed locally?

If it is downloading any JS as part of its operation, you should see that in the network monitor (and by that I mean something like WireShark which inspects the actual requests or packets so that you can see what it is actually downloading, not just a meter or graph which shows how much data is flying around). This should give you a definitive answer of if it is downloading anything potentially malicious off of the internet (mapping data from openstreetmap.org or other sources it relies on should be all that it needs to download).

As for inspecting the code, I was originally thinking that you could check for "http" requests that the code is making and then see which of those are requesting javascript vs. map data. On second thought though you'd have to also comb through the libraries that it uses to see if any of them may be making such requests as well (and I am by no means familiar enough with the various kde and qt libaries to say which ones you'd have to comb through; still hoping that someone else who is more familiar with all of that to chime in).

But the question is not whether it downloads but whether it executes JS. This an essential difference and I don't see how wireshark can tell this. Even if one inspects the HTTP requests it would still be unclear whether those are the result of an ajax coming from a particular downloaded JS (as it works in conventional web browsers) or from an internal HTTP request of the program itself (e.g. an HTTP API).

still hoping that someone else who is more familiar with all of that to chime in

Me too.

The primary reason why Javascript is specially noted as being vulnerable is not because the running of javascript on your machine is any more vulnerable than the running of code written in other languages, but that because javascript is downloaded from the internet by various means it is a relatively easy way for an attacker to get vulnerable code to run on people's machines. Checking if an app merely executes Javascript is insufficient to determine if that app is potentially vulnerable to those attacks.

In general to determine if your machine is potentially vulnerable to those attacks, you need to be aware of all of the code that is running on your machine, not just the javascript. The special case with javascript is that you need to be aware of any javascript that is downloaded from the internet and executed. However javascript that already exists on your machine (because it was included in some software package) should be treated the same as the other code that already exists on your machine. The question there is how much do you trust those who provided you with the software packages to provide it to you free from known vulnerabilities? The choice is yours whether you put your faith and trust in the maintainers of the software repositories and packages and just use them as-is, whether you take the paranoid stance and question and double-check everything that you install, or whether you take some stance in the middle.

We can generally expect the developers of KDE and other FLOSS software to be worthy of that trust. If not, there would be plenty of noise about how they have breached that trust (we saw an example of that with SourceForge when its previous management injected ads/freeware in some of the software packages being downloaded. Gimp just abandoned the service altogether so they could provide their users with the level of trust they deserve. It will take some time for SourceForge to fully regain that trust with the community).

tl;dr - If it downloads and executes code (like javascript) off the internet then you should be concerned about vulnerabilities. If it just executes code on your machine (javascript or not) then it is up to you to trust the people who provided you with that code that the code it executes is not vulnerable.

I know all that airdik. Of course I don't trust random JS downloaded from external hosts and executed on my machine. Otherwise I wouldn't open this thread. The recently announced CPU bugs are too serious to be ignored and the software mitigations are not fixes. Considering that the basis of current computer security model - the ability for isolation - is broken, one should be very careful what one runs. I think we still haven't seen whole scale of this disaster.

Also it is not necessarily true that there would be a lot of noise. Mozilla Firefox (and all its forks) disrespects user privacy in many possible ways - still there is not much noise about it. Even more - they close bug reports about it. So no, I don't trust - I test. Unfortunately in this particular situation I am unable to test because that would require many weeks and maybe months to study the whole source code. That's why I am looking for someone who can point me to the right facts and in this way hopefully know how that works.

In a similar way I have asked smplayer's dev the same question and he promptly explained that smplayer downloads and executes some JS for playing YouTube videos and explained how to disable it. I have asked other software developers for their programs too.

Why is this forum so silent? I thought KDE was quite popular...

I too wish that there were more regulars around answering questions and such. There are a few of us who try to answer things to the best of our ability, but it seems like we've lost a bunch over the years.

As for devs, I've only seen them interacting on a couple of sub-forums. I recall seeing something about them sticking to their issue trackers and/or phabricator and/or irc or something like that and not hanging around the forums. This is rather unfortunate as there are many things brought up here which would be a lot easier resolved by someone who knows the code.

On 3.March.2018 I have sent an email to a few of the addresses listed in Help->About asking for info on what we discuss here with a link to the thread. So far I have not received any reply.

Up to my knowledge Marble doesn't execute Javascript in any crucial places. Marble integrates webpages for for illustration purposes (e.g. in order to display the legend) but this doesn't involve the map rendering itself and isn't loaded remotely most of the time. But then again our core developers are no security specialists - at least not up to the degree required to understand the risks of Spectre and Meltdown enough to be able to totally and safely exclude any such risk.

As to developer availability: Dennis and me had been the lead developers during the last few years. Since Dennis had changed the job and I had some very fortunate changes in my life we weren't able to do much Marble development lately. I plan to get back to Marble development in the next time. But any help and support from others would be appreciated (in this regard: thanks airdrik for your excellent replies).

Hey tackat, thanks for the feedback.

> Up to my knowledge Marble doesn't execute Javascript in any crucial places.

If it loads and executes external JS (i.e. any code which is not distributed with the Marble package itself), then it can be potentially crucial, for whatever purpose as it is not controlled by the Marble developer but by someone else. (make sense, doesn't it?) One doesn't need to be a security expert to understand that (personally I am not one).

That said: have you personally worked on Marble? I would be really interested to hear back from someone who is familiar with the internals and can confirm anything in regards to my concerns. (sadly even after so many months, no reply from anyone else)

As long as you refer to Marble as the map rendering widget then the answer is clear: There is no Javascript involved with that part at all.
If you refer to the whole Marble application then yes: if you followed "Help -> Community Forum" a Web Browser is being opened which will of course execute external Javascript. The same applies for the map descriptions inside the legend which sometimes link to the urls that lead to the webpages of the authors of the data in order to pay proper attribution and credits. Apart from that some of our own web content that helps to illustrate the map legend (rendered outside the actual map) is being rendered inside Qt's WebKit engine.
And while I'm the founder of the Marble project and contributed a significant part of its source code I'm cautious to give you any guarantees with regard to this particular security topic - this especially applies to non-trivial cases like the spectre/meltdown one. Our software development involves code reviews and automated code quality checks. However if you want a 100% guarantee then I can only recommend to you that you ask/hire a security expert to perform a security audit regarding Marble for you.