[Development] [Announce] Security advisory: Freetype in Qt

Albert Astals Cid aacid at kde.org
Fri Aug 19 23:47:03 CEST 2022

El divendres, 19 d’agost de 2022, a les 18:13:15 (CEST), Volker Hilsheimer va escriure:
> > On 19 Aug 2022, at 16:28, Albert Astals Cid <aacid at kde.org> wrote:
> > In case you don't understand what i am speaking about, i mean the Qt 5.15
> > patch corresponding to
> > https://code.qt.io/cgit/qt/qtbase.git/commit/src/3rdparty/freetype?id=cfa
> > 631e0fb5d78aac80cb580eb092fafa1cd9a8f which you didn't mark as Pick-to:
> > 5.15 but from reading the CVE-2022-27404-27405-27406-qtbase-5.15.diff
> > patch it's clear you did.
> There is no patch that upgrades the freetype version 2.10.1 that is bundled
> with Qt 5.15.5 to freetype 2.12.1.
> Someone has to sit down and cherry-pick
> https://codereview.qt-project.org/c/qt/qtbase/+/422316 down to the publicly
> available Qt 5.15 branch. This can perhaps skip over the intermediate
> upgrade to freetype 2.10.4. I’ve attached Liang's patch that upgraded
> freetype from 2.10.1 to 2.10.4 in the Qt 5.15 branch, so whoever wants to
> pick this up can see if that helps with creating a consolidated patch.
> I assume that the Qt5 patch collection infrastructure that the KDE community
> maintains is exactly designed for making such a consolidated patch
> available and rebasing it e.g. 5.15.6 when that becomes available.
> Chances are that I simply didn’t understand that you have basically been
> asking and waiting for the 5.15 version of
> cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f. Apologies if that signal got lost
> in the duststorm of this email thread.

Yes, i wanted the cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f version of 5.15. I now realize no special "version" of that patch is needed since that patch applies and builds fine in 5.15 already.

So as a summary anyone that finds themselves that they can't apply https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-27406-qtbase-5.15.diff to their Qt 5.15 they just need to apply https://code.qt.io/cgit/qt/qtbase.git/commit/src/3rdparty/freetype?id=cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f first and all will be good.


> Volker

More information about the Development mailing list