[Development] Security-relevant 3rd party components bundled with Qt
Robert Löhning
robert.loehning at qt.io
Fri Oct 7 22:08:51 CEST 2022
Am 20.09.22 um 14:47 schrieb Volker Hilsheimer:
> Hi,
>
>
> Some of the 3rd party components we bundle in Qt are directly involved in code paths that are designed to process untrusted data. Following up on the situation with freetype [1] and the discussion we had during summer [2], it would help know which of the 3rd party components we bundle today have a security relevant surface. All components process data, but many only process data that the application developer has full control over (for example, we explicitly state that you should not load any untrusted QML code or content [3]). Those that are designed to process data from anywhere are the ones that are most interesting here.
>
> Those components should then be watched closer, and always get updated to the latest version, perhaps even for patch releases. To that end, I’ve started to collect a list of such components on
>
> https://wiki.qt.io/Third_Party_Code_in_Qt
>
> and would appreciate if you could have a look and add missing components to that page, esp if you are in charge of some of them. I’ve included a column that describes what kind of patches we apply when we update the 3rd party code (and this is perhaps a good opportunity to see if all of those are still necessary).
>
> In the line of the previous discussion [1], we can then start investigating our options for those 3rd party components; for instance, can we build them some of them as shared libraries so that they can be easily updated? On which platforms are some of them available as system libraries or SDKs, and do we test that those work in CI?
>
>
> Thanks,
> Volker
>
> PS: Given the nature of Qt WebEngine, we can probably skip that particular repository in this exercise.
>
> [1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html
> [2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html
> [3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
Hi,
thank you for this initiative Volker.
Would it make sense to add a column to that table containing the contact
info of the respective 3rd party component's maintainer(s) and/or bug
tracker? It's awkward to have found an issue and not know whom to tell
about it.
By the way: If anybody knows how to reach a maintainer of libtiff,
please let me know.
Cheers,
Robert
More information about the Development
mailing list