[Development] [Announce] Security advisory: Freetype in Qt

Ahmad Samir a.samirh78 at gmail.com
Fri Aug 19 19:30:08 CEST 2022

On 27/7/22 19:15, Thiago Macieira wrote:
> On Wednesday, 27 July 2022 09:43:32 PDT Albert Astals Cid wrote:
>>> 5.15:
>>> https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-2740
>>> 6
>>> -qtbase-5.15.diff
>> This patch doesn't seem to apply over the v5.15.5-lts-lgpl tag for me, can
>> someone please double check in case I'm doing something wrong?
> Looks like Freetype in the current 5.15 branch does not match what's in the
> patch.
> $ git show origin/5.15:src/3rdparty/freetype/docs/CHANGES | head -2
> CHANGES BETWEEN 2.10.0 and 2.10.1
> $ curl -sL https://download.qt.io/official_releases/qt/5.15/
> CVE-2022-27404-27405-27406-qtbase-5.15.diff | \
>      grep -A3 b/src/3rdparty/freetype/docs/CHANGES
> diff --git a/src/3rdparty/freetype/docs/CHANGES b/src/3rdparty/freetype/docs/
> index 3bd5291ae1..3ad7ec4333 100644
> --- a/src/3rdparty/freetype/docs/CHANGES
> +++ b/src/3rdparty/freetype/docs/CHANGES
> @@ -1,4 +1,235 @@
> -CHANGES BETWEEN 2.10.3 and 2.10.4
> +CHANGES BETWEEN 2.12.0 and 2.12.1
> The patch was created on top of FreeType 2.10.3, while the branch has 2.10.1.
> I repeat :stop using the bundled third party content unless you're willing to
> update it yourself. In which case, you should simply update to 2.12.1 on your
> own. Ignore the patches in the CVE.

Going forward, don't ship/bundle 3rd party libs, instead add scripts (shell or CMake (the latter has 
support to fetch remote stuff https://cmake.org/cmake/help/latest/module/FetchContent.html)) that 
download that source code from git (at a specific commit hash) or as tarballs and unpack them 
...etc. This approach means you would only need to change one line in a script and users will get 
the latest stable source code of a 3rd party lib the next time they build. "Does the next version of 
lib A build?" that's a question Linux distributions will usually have an answer for; and you will 
have an answer for it too if you use those same scripts to fetch those sources in your e.g. Windows CI.

If you keep bundling them, then the burden of pacthing CVE's in those bundles libs, falls on you 
(any which way you want to look at it, license-wise, morally, legally...).

My 2p's.

Ahmad Samir

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.qt-project.org/pipermail/development/attachments/20220819/5d634a31/attachment.sig>

More information about the Development mailing list