From 5ebd24de1aabe9f8fd530186227cf612a39771d9 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 19 Aug 2025 20:33:48 +0200
Subject: [PATCH 1/4] subsurface: fix build, remove vulnerable qtwebengine

---
 pkgs/applications/misc/subsurface/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/misc/subsurface/default.nix b/pkgs/applications/misc/subsurface/default.nix
index 6387913ac3732..af04df0d2ecef 100644
--- a/pkgs/applications/misc/subsurface/default.nix
+++ b/pkgs/applications/misc/subsurface/default.nix
@@ -23,7 +23,7 @@
   qtlocation,
   qtsvg,
   qttools,
-  qtwebengine,
+  qtpositioning,
   libXcomposite,
   bluez,
   writeScript,
@@ -142,7 +142,7 @@ stdenv.mkDerivation {
     qtconnectivity
     qtsvg
     qttools
-    qtwebengine
+    qtpositioning
   ];
 
   nativeBuildInputs = [

From 45ed32fbc612f7c70305bc0872fcdfa5eb84745f Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 19 Aug 2025 20:34:24 +0200
Subject: [PATCH 2/4] supercollider: disable vulnerable qtwebengine by default

---
 pkgs/development/interpreters/supercollider/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix
index 45e00a910d6d0..7012f621380cf 100644
--- a/pkgs/development/interpreters/supercollider/default.nix
+++ b/pkgs/development/interpreters/supercollider/default.nix
@@ -26,6 +26,7 @@
   supercolliderPlugins,
   writeText,
   runCommand,
+  withWebengine ? false, # vulnerable, so disabled by default
 }:
 
 mkDerivation rec {
@@ -64,10 +65,10 @@ mkDerivation rec {
     curl
     libXt
     qtbase
-    qtwebengine
     qtwebsockets
     readline
   ]
+  ++ lib.optional withWebengine qtwebengine
   ++ lib.optional (!stdenv.hostPlatform.isDarwin) alsa-lib;
 
   hardeningDisable = [ "stackprotector" ];
@@ -75,6 +76,7 @@ mkDerivation rec {
   cmakeFlags = [
     "-DSC_WII=OFF"
     "-DSC_EL=${if useSCEL then "ON" else "OFF"}"
+    (lib.cmakeBool "SC_USE_QTWEBENGINE" withWebengine)
   ];
 
   passthru = {

From fdaf9ac0214d7dea1b3e573434cd96c0d10c9d76 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 19 Aug 2025 20:34:54 +0200
Subject: [PATCH 3/4] python312Packages.pyside2: disable vulnerable qtwebengine
 by default

---
 pkgs/development/python-modules/pyside2/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/python-modules/pyside2/default.nix b/pkgs/development/python-modules/pyside2/default.nix
index 29c1eae0a9cdf..bae24f891b33f 100644
--- a/pkgs/development/python-modules/pyside2/default.nix
+++ b/pkgs/development/python-modules/pyside2/default.nix
@@ -8,6 +8,7 @@
   ninja,
   qt5,
   shiboken2,
+  withWebengine ? false, # vulnerable, so omit by default
 }:
 stdenv.mkDerivation rec {
   pname = "pyside2";
@@ -67,13 +68,15 @@ stdenv.mkDerivation rec {
       qtlocation
       qtscript
       qtwebsockets
-      qtwebengine
       qtwebchannel
       qtcharts
       qtsensors
       qtsvg
       qt3d
     ])
+    ++ lib.optionals withWebengine [
+      qt5.qtwebengine
+    ]
     ++ (with python.pkgs; [ setuptools ])
     ++ (lib.optionals (python.pythonOlder "3.9") [
       # see similar issue: 202262

From d89ab7ff0799e518a351ece97a4c784677dc2979 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 19 Aug 2025 20:55:27 +0200
Subject: [PATCH 4/4] qt5.qtwebengine: mark vulnerable

---
 .../libraries/qt-5/modules/qtwebengine.nix    | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
index 75c8eb7d19b98..a4a2ece44ce78 100644
--- a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
+++ b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
@@ -464,6 +464,43 @@ qtModule (
 
       # This build takes a long time; particularly on slow architectures
       timeout = 24 * 3600;
+
+      knownVulnerabilities = [
+        ''
+          qt5 qtwebengine is unmaintained upstream since april 2025.
+          It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.
+
+          Security issues are frequently discovered in chromium.
+          The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:
+          - CVE-2025-8879
+          - CVE-2025-8880
+          - CVE-2025-8901
+          - CVE-2025-8881
+          - CVE-2025-8882
+          - CVE-2025-8576
+          - CVE-2025-8577
+          - CVE-2025-8578
+          - CVE-2025-8579
+          - CVE-2025-8580
+          - CVE-2025-8581
+          - CVE-2025-8582
+          - CVE-2025-8583
+          - CVE-2025-8292
+          - CVE-2025-8010
+          - CVE-2025-8011
+          - CVE-2025-7656
+          - CVE-2025-6558 (known to be exploited in the wild)
+          - CVE-2025-7657
+          - CVE-2025-6554
+          - CVE-2025-6555
+          - CVE-2025-6556
+          - CVE-2025-6557
+
+          The actual list of CVEs affecting qtwebengine is likely much longer,
+          as this list is missing issues fixed in chromium 136/137 and even more
+          issues are continuously discovered and lack upstream fixes in qtwebengine.
+        ''
+      ];
     };
 
   }