NixOS · philiptaron · Jul 25, 2025 · Jul 24, 2025 · Jul 23, 2025 · Jul 23, 2025
diff --git a/pkgs/by-name/gv/gvfs/package.nix b/pkgs/by-name/gv/gvfs/package.nix
@@ -43,8 +43,10 @@
   libmsgraph,
   python3,
   gsettings-desktop-schemas,
+  googleSupport ? false, # dependency on vulnerable libsoup versions
 }:
 
+assert googleSupport -> gnomeSupport;
 stdenv.mkDerivation (finalAttrs: {
   pname = "gvfs";
   version = "1.57.2";
@@ -106,8 +108,10 @@ stdenv.mkDerivation (finalAttrs: {
     glib-networking # TLS support
     gnome-online-accounts
     libsecret
-    libgdata
     libmsgraph
+  ]
+  ++ lib.optionals googleSupport [
+    libgdata
   ];
 
   mesonFlags = [
@@ -130,9 +134,11 @@ stdenv.mkDerivation (finalAttrs: {
     "-Dgcr=false"
     "-Dgoa=false"
     "-Dkeyring=false"
-    "-Dgoogle=false"
     "-Donedrive=false"
   ]
+  ++ lib.optionals (!googleSupport) [
+    "-Dgoogle=false"
+  ]
   ++ lib.optionals (avahi == null) [
     "-Ddnssd=false"
   ]

diff --git a/pkgs/development/libraries/libsoup/default.nix b/pkgs/development/libraries/libsoup/default.nix
@@ -139,5 +139,31 @@ stdenv.mkDerivation rec {
       "libsoup-2.4"
       "libsoup-gnome-2.4"
     ];
+    knownVulnerabilities = [
+      ''
+        libsoup 2 is EOL, with many known unfixed CVEs.
+        The last release happened 2023-10-11,
+        with few security backports since and no stable release.
+
+        Vulnerabilities likely include (incomplete list):
+        - CVE-2025-4948: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
+        - CVE-2025-46421: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439
+        - CVE-2025-32914: https://gitlab.gnome.org/GNOME/libsoup/-/issues/436
+        - CVE-2025-32913: https://gitlab.gnome.org/GNOME/libsoup/-/issues/435
+        - CVE-2025-32912: https://gitlab.gnome.org/GNOME/libsoup/-/issues/434
+        - CVE-2025-32911: https://gitlab.gnome.org/GNOME/libsoup/-/issues/433
+        - CVE-2025-32910: https://gitlab.gnome.org/GNOME/libsoup/-/issues/432
+        - CVE-2025-32909: https://gitlab.gnome.org/GNOME/libsoup/-/issues/431
+        - CVE-2025-32907: https://gitlab.gnome.org/GNOME/libsoup/-/issues/428
+        - CVE-2025-32053: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426
+        - CVE-2025-32052: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425
+        - CVE-2025-32050: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424
+        - CVE-2024-52531: https://gitlab.gnome.org/GNOME/libsoup/-/issues/423
+        - CVE-2025-2784: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
+
+        These vulnerabilities were fixed in libsoup 3,
+        with the vulnerable code present in libsoup 2 versions.
+      ''
+    ];
   };
 }
diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix
@@ -168,7 +168,6 @@ in
   util-linux = linux;
   util-linuxMinimal = linux;
   w3m = all;
-  webkitgtk_4_0 = linux;
   wget = all;
   which = all;
   wirelesstools = linux;