[Announce] Security advisory: Freetype in Qt

List for announcements regarding Qt releases and development announce at qt-project.org
Wed Jul 27 14:00:50 CEST 2022


There have been three vulnerabilities found in FreeType recently and they have been assigned the CVE ids CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. This has been fixed in the latest version of FreeType – v2.12.1

These effects configurations of Qt that have been built against the bundled version of FreeType. If you are using a pre-built version of Qt then this will be using the bundled version of FreeType by default, otherwise you will be using the system version by default, in which case you should check if the system needs to be updated or not. If the system needs to be updated, then updating it is enough to solve the issue. There is no need to rebuild Qt in that case.

Solution: To work-around it, then update your system version of FreeType to at least v2.12.1 and reconfigure and build Qt to use the system version of FreeType. Or apply the following patch or update to Qt 6.3.2 when it is released.


dev: https://codereview.qt-project.org/c/qt/qtbase/+/422316
6.4: https://codereview.qt-project.org/c/qt/qtbase/+/423390
6.3: https://codereview.qt-project.org/c/qt/qtbase/+/423391 or https://download.qt.io/official_releases/qt/6.3/CVE-2022-27404-27405-27406-qtbase-6.3.diff
6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423393 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-27404-27405-27406-qtbase-6.2.diff
5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423394 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-27406-qtbase-5.15.diff

Kind regards,
Andy Shaw
The Qt Company

More information about the Announce mailing list