[Development] Security-relevant 3rd party components bundled with Qt

[Volker Hilsheimer]

Hi,


Some of the 3rd party components we bundle in Qt are directly involved in code paths that are designed to process untrusted data. Following up on the situation with freetype [1] and the discussion we had during summer [2], it would help know which of the 3rd party components we bundle today have a security relevant surface. All components process data, but many only process data that the application developer has full control over (for example, we explicitly state that you should not load any untrusted QML code or content [3]). Those that are designed to process data from anywhere are the ones that are most interesting here.

Those components should then be watched closer, and always get updated to the latest version, perhaps even for patch releases. To that end, I’ve started to collect a list of such components on

https://wiki.qt.io/Third_Party_Code_in_Qt

and would appreciate if you could have a look and add missing components to that page, esp if you are in charge of some of them. I’ve included a column that describes what kind of patches we apply when we update the 3rd party code (and this is perhaps a good opportunity to see if all of those are still necessary).

In the line of the previous discussion [1], we can then start investigating our options for those 3rd party components; for instance, can we build them some of them as shared libraries so that they can be easily updated? On which platforms are some of them available as system libraries or SDKs, and do we test that those work in CI?


Thanks,
Volker

PS: Given the nature of Qt WebEngine, we can probably skip that particular repository in this exercise.

[1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html
[2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html
[3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html