Skip to content

qt5.qtwebengine: mark vulnerable#435067

Merged
fabianhjr merged 4 commits intoNixOS:masterfrom
LordGrimmauld:qtwebengine-vuln
Aug 25, 2025
Merged

qt5.qtwebengine: mark vulnerable#435067
fabianhjr merged 4 commits intoNixOS:masterfrom
LordGrimmauld:qtwebengine-vuln

Conversation

@LordGrimmauld
Copy link
Contributor

@LordGrimmauld LordGrimmauld commented Aug 19, 2025

  • remove qt5 qtwebengine from some packages (like pyside2) to reduce breaks
  • mark qt5.qtwebengine vulnerable, listing some of the CVEs fixed in Chromium since qtwebengine went unmaintained upstream.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@LordGrimmauld LordGrimmauld added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 19, 2025
@LordGrimmauld LordGrimmauld requested review from K900 and emilazy August 19, 2025 18:58
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation labels Aug 19, 2025
@nix-owners nix-owners bot requested a review from mguentner August 19, 2025 19:03
@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Aug 19, 2025
edited
Loading

pyside users to check whether they need webengine:

  • /nix/store/ic6mi0q0fmhvbc3amrgy769v167w00ak-python3.12-magicgui-0.10.1.drv x86_64-linux
  • /nix/store/md28w1pdwv04f0bg5c8lk42cycaspvzs-renderdoc-1.39.drv x86_64-linux
  • /nix/store/9b1scy06757n57w4jca0wf62b7qbsppw-kohighlights-2.3.1.0.drv x86_64-linux
  • /nix/store/vpxjbn5hx0ajgz6whnl98izsvdd8mc8j-patray-0.1.2.drv x86_64-linux
  • /nix/store/57cvbw7awqwd1kiwl9x0d88yw5rxk6xa-pyside2-tools-5.15.17.drv x86_64-linux
  • /nix/store/8v3110szdj9k4v4rzqdfrn2nia4n53pa-rcu-4.0.24.drv x86_64-linux ??? no source available
  • /nix/store/5m2ah799qh8xhxz6h0y2sc2zsy0bcy8y-sl1-to-photon-0.1.3+.drv x86_64-linux
  • /nix/store/hmaaj185500a843ijzgdlbcrpp1a3jqc-python3.12-napari-0.6.2.drv x86_64-linux
  • /nix/store/bf3yqrqqc2pz4v5mxis61sn7whmahkwc-python3.12-napari-npe2-0.7.8.drv x86_64-linux
  • /nix/store/lqdl2r921fv3b6hn0dp559xkmqxgy77b-shadps4-0.10.0.drv x86_64-linux

None need webengine. Can't check rcu and pyside tools doesn't matter.

mguentner
mguentner reviewed Aug 19, 2025
View reviewed changes
pkgs/applications/misc/subsurface/default.nix
qtlocation,
qtsvg,
qttools,
qtwebengine,
Copy link
Contributor

@mguentner mguentner Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 from my side

The impact should be rather small. According to subsurface's CMakeLists.txt, this should only disable the internal manual and printing support.

We can re-enable qtwebengine once subsurface builds with recent Qt 6 versions.

Copy link
Contributor Author

@LordGrimmauld LordGrimmauld Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the version we have, qtwebengine is not used at all

Copy link
Contributor

@mguentner mguentner Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, seems like the cmake cannot find it. This should be the code.

Copy link
Contributor Author

@LordGrimmauld LordGrimmauld Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Careful: we are on commit 38a0050ac33566dfd34bf94cf1d7ac66034e4118, which only supports qtwebkit: https://github.com/subsurface/subsurface/blob/38a0050ac33566dfd34bf94cf1d7ac66034e4118/CMakeLists.txt#L249-L275

qtwebkit is the predecessor to qtwebengine, and even worse in terms of security, see e.g. https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/

qtwebengine is not supported at all for the version we have. Not even for qt6, where it is just blanket-disabled. We'd need to update the package to use a modern version and qt6 to make use of qtwebengine.

Copy link
Contributor

@mguentner mguentner Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit is interesting :)

subsurface/subsurface@643f4a5

K900
K900 approved these changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@K900 K900 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, would be nice to have a full list of things that are affected.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 20, 2025
@fabianhjr fabianhjr added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Aug 24, 2025
@OPNA2608 OPNA2608 mentioned this pull request Aug 25, 2025
Merged
13 tasks
@OPNA2608
Copy link
Contributor

OPNA2608 commented Aug 25, 2025

would be nice to have a full list of things that are affected.

29 packages updated:
  • faust2sc.py
  • foxdot
  • kohighlights
  • napari
  • natron
  • patray
  • pyside2
  • pyside2
  • pyside2-tools
  • pyside2-tools
  • python3.12-foxdot
  • python3.12-magicgui
  • python3.12-napari
  • python3.12-napari-npe2
  • python3.13-foxdot
  • python3.13-magicgui
  • python3.13-napari
  • python3.13-napari-npe2
  • rcu
  • renderdoc
  • sc3-plugins
  • shadps4
  • sl1-to-photon
  • sonic-pi
  • subsurface
  • supercollider
  • supercollider
  • supercollider-with-plugins
  • supercollider-with-plugins
71 packages removed:
  • clipgrab (†3.9.7)
  • csound-qt (†1.1.3)
  • deltatouch (†1.14.3)
  • eagle (†9.6.2)
  • fcitx5-chinese-addons (†5.1.8)
  • frescobaldi (†3.3.0)
  • gepetto-gui (†)
  • gepetto-gui (†)
  • gepetto-viewer (†6.0.0)
  • gepetto-viewer (†6.0.0)
  • gepetto-viewer (†6.0.0)
  • gepetto-viewer-corba (†6.0.0)
  • gepetto-viewer-corba (†6.0.0)
  • gepetto-viewer-corba (†6.0.0)
  • gfie (†4.2)
  • gitqlient (†1.6.3)
  • globalprotect-openconnect (†1.4.9)
  • gpsbabel (†1.8.0)
  • huggle (†3.4.13)
  • jellyfin-media-player (†1.12.0)
  • jellyfin-mpv-shim (†2.9.0)
  • kbibtex (†0.10.0)
  • kchmviewer (†8.0)
  • kdeltachat-unstable (†2024-01-14)
  • kiwix (†2.4.1)
  • lgogdownloader (†3.17)
  • luminance-hdr (†2.6.1.1)
  • MellowPlayer (†3.6.8)
  • merkaartor (†0.20.0)
  • mindforger (†2.0.0)
  • morph-browser (†1.1.2)
  • nmapsi4 (†0.5-alpha2)
  • notepadqq (†2.0.0-beta)
  • openboard (†1.7.3)
  • openshot-qt (†3.3.0)
  • pentobi (†20.0)
  • psi (†1.5)
  • python-qt (†3.6.1)
  • python-qt (†3.6.1)
  • python-qt (†3.6.1)
  • python3.12-orange-widget-base (†4.26.0)
  • python3.12-orange3 (†3.39.0)
  • python3.12-pyqt5-stubs (†5.15.6.0)
  • python3.12-pyqtwebengine (†5.15.7)
  • python3.12-pywebview (†5.4)
  • python3.12-spyder (†6.1.0a2)
  • python3.13-orange-widget-base (†4.26.0)
  • python3.13-orange3 (†3.39.0)
  • python3.13-pyqt5-stubs (†5.15.6.0)
  • python3.13-pyqtwebengine (†5.15.7)
  • python3.13-pywebview (†5.4)
  • python3.13-spyder (†6.1.0a2)
  • qolibri (†2.1.5-unstable-2025-01-18)
  • qsyncthingtray (†0.5.8)
  • qt-full (†5.15.17)
  • qtwebengine (†5.15.19)
  • qtwebview (†5.15.17)
  • qutebrowser-qt5 (†3.5.1)
  • seafile-client (†9.0.12)
  • semantik (†1.2.10)
  • skrooge (†25.4.0)
  • spyder (†6.1.0a2)
  • stremio-shell (†4.4.168)
  • tageditor (†3.9.6)
  • teamspeak3 (†3.6.2)
  • tribler (†7.14.0)
  • vivisect (†1.2.1)
  • webmacs (†0.8)
  • whatsie (†4.16.3)
  • yacas (†1.9.1)
  • zeal (†0.7.2)

@fabianhjr fabianhjr merged commit 5f450c8 into NixOS:master Aug 25, 2025
34 of 35 checks passed
@LordGrimmauld LordGrimmauld mentioned this pull request Aug 25, 2025
Closed
13 tasks
@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Aug 25, 2025
edited
Loading

fcitx5-with-addons is pulling the chinese thing, which will be a channel blocker.... I propose #436892 as a temporary fix until we have migrated fcitx5 to use qt6.

nim65s added a commit to nim65s/nixpkgs that referenced this pull request Aug 27, 2025
@nim65s
gepetto-viewer: python-qt is optional
c597d45 
So deactivate it by default to fix build following
NixOS#435067
@nim65s nim65s mentioned this pull request Aug 27, 2025
Closed
13 tasks
@fabianhjr fabianhjr mentioned this pull request Aug 29, 2025
Open
@fabianhjr
Copy link
Member

fabianhjr commented Aug 29, 2025

Hi @azahi, I tried to search for pre-existing procedure/policy on knownVulnerabilities but couldn't find much. As such I created a new issue/thread to treat it more explicitly without mixing with this PR/specific change: #438361

@chrisheib
Copy link
Contributor

chrisheib commented Aug 30, 2025
edited
Loading

My unstable config is failing to build as well. I tried running nixos-rebuild with --show-trace as per @gepbird #360897 (comment), but this didn't give me anything useful to work with. How can I find the package that is causing the breakage for me? Command output is attached.
nixos trace.md

Edit: On the third readthrough I found teamspeak mentioned in line 1000, which also appears in the list of impacted packages above. Is there a more easily understandable way to look for the build dependencies of your installed packages?

Pinging @lukegb, @Atemu

@somasis somasis mentioned this pull request Aug 30, 2025
Merged
13 tasks
@Jylhis Jylhis mentioned this pull request Aug 30, 2025
Merged
13 tasks
Jylhis added a commit to Jylhis/nixpkgs that referenced this pull request Aug 30, 2025
@Jylhis
zeal: migrate to pkgs/by-name, use qt6
0e805d8 
Motivated by qt5.qtwebengine being marked vulnerable (NixOS#435067):
- Move package from pkgs/data/documentation to pkgs/by-name/ze/zeal
- Switch from Qt5 to Qt6 as the default
- Remove zeal-qt5 and zeal-qt6 variants in favor of single Qt6 version
- Add aliases for deprecated Qt-specific variants
@r-k-b
Copy link
Contributor

r-k-b commented Sep 1, 2025

How can I find the package that is causing the breakage for me?

I found https://github.com/utdemir/nix-tree to be useful for this; with default settings, a search for 'qtwebengine' revealed Notepadqq.

@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Sep 1, 2025

Successfully created backport PR for release-25.05:

@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Sep 1, 2025
Closed
1 task
@github-actions github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label Sep 1, 2025
@fabianhjr fabianhjr mentioned this pull request Sep 1, 2025
Merged
13 tasks
wolfgangwalther pushed a commit that referenced this pull request Sep 1, 2025
@Jylhis @fabianhjr
zeal: migrate to pkgs/by-name, use qt6
023cfcc 
Motivated by qt5.qtwebengine being marked vulnerable (#435067):
- Move package from pkgs/data/documentation to pkgs/by-name/ze/zeal
- Switch from Qt5 to Qt6 as the default
- Remove zeal-qt5 and zeal-qt6 variants in favor of single Qt6 version
- Add aliases for deprecated Qt-specific variants

(cherry picked from commit 0e805d8)
gador added a commit to gador/nixpkgs that referenced this pull request Sep 7, 2025
@gador
seafile-client: disable qtwebengine
7e3e51f 
due to NixOS#435067

Signed-off-by: Florian Brandes <[email protected]>
@gador gador mentioned this pull request Sep 7, 2025
Closed
13 tasks
gador added a commit to gador/nixpkgs that referenced this pull request Sep 7, 2025
@gador
seafile-client: disable qtwebengine
4d5051f 
due to NixOS#435067

Signed-off-by: Florian Brandes <[email protected]>
nim65s added a commit to nim65s/nixpkgs that referenced this pull request Sep 23, 2025
@nim65s
python-qt: disable vulnerable qtwebengine by default
639caa3 
webengine is optional:

```
extensions/PythonQt_QtAll/PythonQt_QtAll.pro
24:  qtHaveModule(webenginewidgets):CONFIG += PythonQtWebEngineWidgets
```

So disable it by default to fix build
following NixOS#435067
nim65s added a commit to nim65s/nixpkgs that referenced this pull request Sep 28, 2025
@nim65s
python-qt: disable vulnerable qtwebengine by default
811636a 
webengine is optional:

```
extensions/PythonQt_QtAll/PythonQt_QtAll.pro
24:  qtHaveModule(webenginewidgets):CONFIG += PythonQtWebEngineWidgets
```

So disable it by default to fix build
following NixOS#435067
@nixos-discourse
Copy link

nixos-discourse commented Oct 4, 2025

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/unable-to-install-package-due-to-insecure-dependency-refusing-to-evaluate/70363/1

@nim65s nim65s mentioned this pull request Oct 16, 2025
Merged
13 tasks
nim65s added a commit to nim65s/nixpkgs that referenced this pull request Oct 20, 2025
@nim65s
libsForQt5.full: drop
cc72bd2 
It was broken after qtwebengine (and qtwebview) got tagged
insecure in NixOS#435067
nim65s added a commit to nim65s/nixpkgs that referenced this pull request Dec 11, 2025
@nim65s
python-qt: disable vulnerable qtwebengine by default
a8274bd 
webengine is optional:

```
extensions/PythonQt_QtAll/PythonQt_QtAll.pro
24:  qtHaveModule(webenginewidgets):CONFIG += PythonQtWebEngineWidgets
```

So disable it by default to fix build
following NixOS#435067
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabianhjr fabianhjr fabianhjr approved these changes

@K900 K900 K900 approved these changes

@emilazy emilazy Awaiting requested review from emilazy

@ttuegel ttuegel Awaiting requested review from ttuegel

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@NickCao NickCao Awaiting requested review from NickCao

+1 more reviewer

@mguentner mguentner mguentner left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@LordGrimmauld @OPNA2608 @BeatLink @azahi @fabianhjr @chrisheib @r-k-b @nixos-discourse @K900 @mguentner