[Development] [Announce] Security advisory: Freetype in Qt

Giuseppe D'Angelo giuseppe.dangelo at kdab.com
Thu Jul 28 17:31:32 CEST 2022


Hi,

On 27/07/2022 22:23, Thiago Macieira wrote:
> On Wednesday, 27 July 2022 11:47:20 PDT Giuseppe D'Angelo via Development
> wrote:
>> Right now, if one selects "LTS" and "Latest releases" (and *not*
>> "Archive"), one gets
>>
>> * 6.3.1
>> * 6.2.4
>> * 5.15.2
>>
>> all of which are bugged AFAICT?
> 
> Non-commercial customers shouldn't even see the option for LTS, since it's not
> LTS for them. There should only be "Latest releases".
> 
> Yes, it means that to find Qt 5, you'll need to go look in the Archive.
> 

Trying to summarize:

1) The current opensource binary downloads, marked "LTS" / "Latest 
releases", are all bugged. Given they will never get a binary update for 
5.15 or 6.2, I don't think it makes any sense to keep them available 
under those labels -- they should be in "Archive" or so.

6.3.2 should be released in a few weeks and I'm assuming will contain 
the fix in question? (As well as being provided as binary downloads.)


2) The current *source* downloads for 5.15 (esp. the latest, 5.15.5) 
don't have a clean patch against them.

Yes, one could always build Qt against a vanilla fixed Freetype, or 
replace (if that's easy/possible) the freetype in src/3rdparty/, that's 
not the point though.


3) Most importantly: will the _future_ source downloads for 5.15 / 6.2 
(e.g. 5.15.6, due in September) also be affected? I'd assume yes, if 
they're faithful to the "tagging" in the repositories, done a year ago.

Are further patches (that apply against them) going to be published? Or 
will it be the case that 5.15.6 isn't really going to be a "release", 
but mostly something like "5.15.6's source is now publicly accessible"?

(To me it makes zero sense to "release" something with known 
vulnerabilities.)


Thanks,

-- 
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - The Qt, C++ and OpenGL Experts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4244 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.qt-project.org/pipermail/development/attachments/20220728/fe246f97/attachment.bin>


More information about the Development mailing list