[Development] [Announce] Security advisory: Freetype in Qt

Volker Hilsheimer volker.hilsheimer at qt.io
Fri Aug 19 18:13:15 CEST 2022

> On 19 Aug 2022, at 16:28, Albert Astals Cid <aacid at kde.org> wrote:
> In case you don't understand what i am speaking about, i mean the Qt 5.15 patch corresponding to
> https://code.qt.io/cgit/qt/qtbase.git/commit/src/3rdparty/freetype?id=cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f
> which you didn't mark as Pick-to: 5.15 but from reading the CVE-2022-27404-27405-27406-qtbase-5.15.diff patch it's clear you did.

There is no patch that upgrades the freetype version 2.10.1 that is bundled with Qt 5.15.5 to freetype 2.12.1.

Someone has to sit down and cherry-pick https://codereview.qt-project.org/c/qt/qtbase/+/422316 down to the publicly available Qt 5.15 branch. This can perhaps skip over the intermediate upgrade to freetype 2.10.4. I’ve attached Liang's patch that upgraded freetype from 2.10.1 to 2.10.4 in the Qt 5.15 branch, so whoever wants to pick this up can see if that helps with creating a consolidated patch.

I assume that the Qt5 patch collection infrastructure that the KDE community maintains is exactly designed for making such a consolidated patch available and rebasing it e.g. 5.15.6 when that becomes available.

Chances are that I simply didn’t understand that you have basically been asking and waiting for the 5.15 version of cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f. Apologies if that signal got lost in the duststorm of this email thread.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20220819/557f4827/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cfa631e.diff.zip
Type: application/zip
Size: 243962 bytes
Desc: cfa631e.diff.zip
URL: <http://lists.qt-project.org/pipermail/development/attachments/20220819/557f4827/attachment-0001.zip>

More information about the Development mailing list