[Development] How do I fix a vulnerability in Qt. I forward the question to someone, or should I write the code myself?
Bruno Crocamo
bruno.crocamo at gmail.com
Thu Jul 9 20:11:06 CEST 2020
Thank u, Eddy.
Lars, in my first message I mentioned a link:
https://github.com/wkhtmltopdf/qt/pull/47.
Here you can see the changes I made:
https://github.com/wkhtmltopdf/qt/pull/47/commits/5d639d9c04dbc644875e913cf0a6f5f54abcbf75
The changes made by me perform a reordering. This lessens the risk. But the
risk will always exist as long as there is a source of risk: the CMap
object.
However, the change made was made in a version of Qt used in a third party
project.
I don't know, for sure, how to make this modification official in Qt. I
believe that the best option is an analysis by a developer with more
experience about Qt. I understand that I have a minor contribution, very
punctual contribution, that does not break the code. But an analysis by
someone more experienced is required.
In fact, the Qt contribution guidelines talks about:
- "Add relevant reviewers to your change(s)";
- "If your contribution is deemed to not align with the project's vision or
goals, you should abandon the change at this point".
Thus, to make a change someone else's participation is required.
I appreciate the answer given by everyone,
Att,
Bruno
Em qui., 9 de jul. de 2020 às 12:48, Thiago Macieira <
thiago.macieira at intel.com> escreveu:
> On Thursday, 9 July 2020 03:48:18 PDT Lars Knoll wrote:
> > The easiest fix for this would probably be to simply change the
> "QList<int>
> > glyph_indices;" in QFontSubset to a QSet.
>
> That would make the output non-deterministic. If determinism is wanted, a
> sorted container is preferable.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
> Software Architect - Intel System Software Products
>
>
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20200709/3fecef0b/attachment.html>
More information about the Development
mailing list