[Development] Qt 6.8.2 security vulnerability when cloning Qt from github.com
Benjamin TERRIER
b.terrier at gmail.com
Mon Feb 3 09:51:33 CET 2025
Hi,
Short after Qt 6.8.2 was released I reported
https://bugreports.qt.io/browse/QTBUG-133397
The issues is that the submodule qttools/src/assistant/qlitehtml
<https://code.qt.io/cgit/qt/qttools.git/tree/.gitmodules?h=6.8.2> is using
a relative path: ../../playground/qlitehtml.git
Because of qtlitehtml repo is under playground/ and not under qt/
directory, this relative path is meaningless almost everywhere except on
code.qt.io.
In particular on github.com, it points to
https://github.com/playground/qlitehtml.git
The issue is that anyone controlling the https://github.com/playground
account is able to have Qt users checkout their own qlitehtml repo, with
potentially malicious changes.
Luckily for now the repo https://github.com/playground/qlitehtml.git does
not exist and the cloning process fails (which is already bad on its own).
Right now I would advocate for moving qlitehtml repo from playground to qt
and take proper action so that developers cloning Qt from github.com, or
other online git services, do not end up cloning repos from random 3rd
parties.
In the long term, there should be rules and checks put in place to ensure
submodules in qt repos do not use relative urls to points to repos outside
of the qt/ directory.
Regards,
Benjamin Terrier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250203/c6f5336e/attachment-0001.htm>
More information about the Development
mailing list