Package: libqt5webkit5
Version: 5.212.0~alpha4-30
Hi,
this was originally a bug report against Ubuntu 24.04 as 2061191, but
since the package is community maintained and not by Ubuntu, they asked
me to report it "upstreams".
Ubuntu 24.04 beta / Debian bookworm still use libqt5webkit5.
It is not obvious, where it comes from, but the version is still an
alpha4, and the link in the README seems to suggest, that it still comes
from https://github.com/annulen/webkit
<https://github.com/annulen/webkit>, which redirects to
https://github.com/qtwebkit/qtwebkit
<https://github.com/qtwebkit/qtwebkit> , where the alpha4 tag is over 4
years old.
There, the latest README tells:
Code in this repository is obsolete. If you are looking for up-to-date
QtWebKit use this fork: https://github.com/movableink/webkit
<https://github.com/movableink/webkit>
https://github.com/movableink/webkit
<https://github.com/movableink/webkit> seems to be still maintained –
more or less. And calls itself "inofficial mirror"
Have a look at
https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/
<https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/>
which calls qtwebkit insecure, poorly maintained, and cites CVEs about
remote code execution (some of them would have to be fixed in the fork,
but probably not in the version here in ubuntu).
The problem is, that tools like wkhtmltopdf do use this library and are
typically used to pull contents from a given URL, i.e. from foreign
websites.
Processing foreign HTML and Javascript code in conjunction with
vulnerabilities to remote code execution, this is highly dangerous.
regards
Hadmut
