[Development] Security-relevant 3rd party components bundled with Qt

Volker Hilsheimer volker.hilsheimer at qt.io
Fri Jan 20 09:57:55 CET 2023

On 1 Nov 2022, at 09:55, Volker Hilsheimer via Development <development at qt-project.org> wrote:

On 20 Sep 2022, at 14:47, Volker Hilsheimer <volker.hilsheimer at qt.io> wrote:
Those components should then be watched closer, and always get updated to the latest version, perhaps even for patch releases. To that end, I’ve started to collect a list of such components on


and would appreciate if you could have a look and add missing components to that page, esp if you are in charge of some of them. I’ve included a column that describes what kind of patches we apply when we update the 3rd party code (and this is perhaps a good opportunity to see if all of those are still necessary).

Hi again,

Thanks for populating that page with information about 3rd party components processing untrusted content.

As a next step, could those of you who are upgrading such components as part of the release process, please provide links to the respective upstream, and instructions on what is involved in the upgrading of the bundled sources?


That page still misses information for a lot of 3rd party modules about where to find the upstream and the update instructions. That makes it very difficult for our release team to follow up on the 3rd party update.

Third Party Code in Qt - Qt Wiki<https://wiki.qt.io/Third_Party_Code_in_Qt>

We need information about

- public suffix list

- harfbuzz-ng
- libpng, libjpeg
- sqlite

Qt Imageformats:
- libwebp

Qt Multimedia
- ffmpeg
- eigen
- pffft
- resonance audio

Qt Quick3D
- assimp
- tinyexr


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20230120/24b046a9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: favicon.ico
Type: image/vnd.microsoft.icon
Size: 5430 bytes
Desc: favicon.ico
URL: <http://lists.qt-project.org/pipermail/development/attachments/20230120/24b046a9/attachment.ico>

More information about the Development mailing list