Package: libqt5webkit5
Version: 5.212.0~alpha4-30
Hi,
this was originally a bug report against Ubuntu 24.04 as 2061191,
but since the package is community maintained and not by Ubuntu,
they asked me to report it "upstreams".
Ubuntu 24.04 beta / Debian bookworm still use libqt5webkit5.
It is not obvious, where it comes from, but the version is still
an alpha4, and the link in the README seems to suggest, that it
still comes from https:/
There, the latest README tells:
Code in this repository is obsolete. If you are looking for
up-to-date QtWebKit use this fork: https:/
https:/
Have a look at
https:/
which calls qtwebkit insecure, poorly maintained, and cites CVEs about remote code execution (some of them would have to be fixed in the fork, but probably not in the version here in ubuntu).
The problem is, that tools like wkhtmltopdf do use this library and are typically used to pull contents from a given URL, i.e. from foreign websites.
Processing foreign HTML and _javascript_ code in conjunction with vulnerabilities to remote code execution, this is highly dangerous.
regards
Hadmut