Hi Hadmut!

On Sat, Apr 20, 2024 at 09:23:37PM +0300, Hadmut Danisch wrote:
> Package: libqt5webkit5
>
> Version: 5.212.0~alpha4-30
>
>
> Hi,
>
> this was originally a bug report against Ubuntu 24.04 as 2061191, but since
> the package is community maintained and not by Ubuntu, they asked me to
> report it "upstreams".
>
>
> Ubuntu 24.04 beta / Debian bookworm still use libqt5webkit5.
>
> It is not obvious, where it comes from, but the version is still an alpha4,
> and the link in the README seems to suggest, that it still comes from
> https://github.com/annulen/webkit, which redirects to
> https://github.com/qtwebkit/qtwebkit, where the alpha4 tag is over 4 years
> old.
>
> There, the latest README tells:
>
> Code in this repository is obsolete. If you are looking for up-to-date
> QtWebKit use this fork: https://github.com/movableink/webkit
>
> https://github.com/movableink/webkit seems to be still maintained – more or
> less. And calls itself "inofficial mirror"

Unfortunately, movableink/webkit seems to be even less stable or ready than
qtwebkit/qtwebkit. For example, it is known that PyQt5 cannot be built
against it [1], and there are packages in Debian which need it:

  $ reverse-depends python3-pyqt5.qtwebkit
  Reverse-Recommends
  ==================
  * linuxcnc-uspace [amd64 arm64 armel armhf i386 mips64el ppc64el s390x]
  * python3-ginga

  Reverse-Depends
  ===============
  * frescobaldi [amd64 arm64 armel armhf i386 mips64el ppc64el s390x]
  * manuskript
  * openshot-qt
  * python3-pyface
  * python3-qgis [amd64 arm64 armel armhf i386 mips64el ppc64el s390x]
  * python3-qtpy
  * qutebrowser-qtwebkit
  * yade [amd64 arm64]

> Have a look at
>
> https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/
>
> which calls qtwebkit insecure, poorly maintained, and cites CVEs about
> remote code execution (some of them would have to be fixed in the fork, but
> probably not in the version here in ubuntu).
>
> The problem is, that tools like wkhtmltopdf do use this library and are
> typically used to pull contents from a given URL, i.e. from foreign
> websites.
>
> Processing foreign HTML and Javascript code in conjunction with
> vulnerabilities to remote code execution, this is highly dangerous.

I absolutely agree. Projects like wkhtmltopdf should stop using Qt WebKit
and should be ported to Qt WebEngine or other alternatives [2]. Once they do
that, we will be able to remove Qt WebKit from Debian.

Any help with filing bugs, both upstream and here in Debian, is welcome.

It is also worth noting that our Release Notes explicitly mention [3] that
Qt WebKit is not covered by security support, thus anyone who uses it with
untrusted input data does so on their own risk.

[1]: https://github.com/movableink/webkit/issues/16
[2]: ideally, they should be also ported from Qt 5 to Qt 6
[3]: 
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security

--
Dmitry Shachnev

Attachment: signature.asc
Description: PGP signature

Reply via email to