From a505704e8f6c136ab015243c2807e39e012217d7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 13 Nov 2022 14:31:55 +0100 Subject: [PATCH 1/3] qtwebkit: Mark known vulnerable The browser engine is based off an old Webkit version, receives no security backports, does no releases. The WebKitGTK people have counted over 500 CVEs they fixed since 2016. Adding known vulnerable to make people aware they're using a browser engine that is not up to todays standards and could very likely be easily compromised. Projects are recomended to migrate to qtwebengine instead. https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/ https://github.com/qutebrowser/qutebrowser/issues/4039#issue-338246939 https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ --- pkgs/development/libraries/qt-5/modules/qtwebkit.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/qt-5/modules/qtwebkit.nix b/pkgs/development/libraries/qt-5/modules/qtwebkit.nix index bebfbdda8d8b..76f3481386f3 100644 --- a/pkgs/development/libraries/qt-5/modules/qtwebkit.nix +++ b/pkgs/development/libraries/qt-5/modules/qtwebkit.nix @@ -69,5 +69,8 @@ qtModule { meta = { maintainers = with lib.maintainers; [ abbradar periklis ]; + knownVulnerabilities = [ + "QtWebkit upstream is unmaintained and receives no security updates, see https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/" + ]; }; } From 145bd93a310d0a79f458f06dab3c41fac45f5441 Mon Sep 17 00:00:00 2001 From: K900 Date: Sun, 13 Nov 2022 17:08:56 +0300 Subject: [PATCH 2/3] kdevelop: remove qtwebkit from inputs Isn't used anyway. --- pkgs/applications/kde/kdevelop/kdevelop.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/kde/kdevelop/kdevelop.nix b/pkgs/applications/kde/kdevelop/kdevelop.nix index 4e7f576398e5..1d34e01813b0 100644 --- a/pkgs/applications/kde/kdevelop/kdevelop.nix +++ b/pkgs/applications/kde/kdevelop/kdevelop.nix @@ -1,5 +1,5 @@ { mkDerivation, lib, cmake, gettext, pkg-config, extra-cmake-modules -, qtquickcontrols, qtwebkit, qttools, kde-cli-tools, qtbase +, qtquickcontrols, qttools, kde-cli-tools, qtbase , kconfig, kdeclarative, kdoctools, kiconthemes, ki18n, kitemmodels, kitemviews , kjobwidgets, kcmutils, kio, knewstuff, knotifyconfig, kparts, ktexteditor , threadweaver, kxmlgui, kwindowsystem, grantlee, kcrash, karchive, kguiaddons @@ -24,7 +24,7 @@ mkDerivation rec { ]; propagatedBuildInputs = [ - qtquickcontrols qtwebkit boost libkomparediff2 + qtquickcontrols boost libkomparediff2 kconfig kdeclarative kdoctools kiconthemes ki18n kitemmodels kitemviews kjobwidgets kcmutils kio knewstuff knotifyconfig kparts ktexteditor threadweaver kxmlgui kwindowsystem grantlee plasma-framework krunner From c1c816dcc3a290fc1ae27576542704789111de4a Mon Sep 17 00:00:00 2001 From: K900 Date: Sun, 13 Nov 2022 17:09:12 +0300 Subject: [PATCH 3/3] rocs: remove qtwebkit from inputs Also seems unused. --- pkgs/applications/kde/rocs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/kde/rocs.nix b/pkgs/applications/kde/rocs.nix index bb5cd80bca23..80f5f4bb6d65 100644 --- a/pkgs/applications/kde/rocs.nix +++ b/pkgs/applications/kde/rocs.nix @@ -1,7 +1,7 @@ { mkDerivation, lib, extra-cmake-modules, boost, - qtbase, qtscript, qtquickcontrols, qtwebkit, qtxmlpatterns, grantlee, + qtbase, qtscript, qtquickcontrols, qtxmlpatterns, grantlee, kdoctools, karchive, kxmlgui, kcrash, kdeclarative, ktexteditor, kguiaddons }: @@ -19,7 +19,7 @@ mkDerivation { nativeBuildInputs = [ extra-cmake-modules kdoctools ]; buildInputs = [ boost - qtbase qtscript qtquickcontrols qtwebkit qtxmlpatterns grantlee + qtbase qtscript qtquickcontrols qtxmlpatterns grantlee kxmlgui kcrash kdeclarative karchive ktexteditor kguiaddons ]; }