[Development] Qt 6.8.2 security vulnerability when cloning Qt from github.com
Axel Spoerl
axel.spoerl at qt.io
Mon Feb 3 16:36:48 CET 2025
Hi Benjamin,
thanks for flagging this. It's a valid issue, which we shall address swiftly.
Your assessment is correct: While just annoying at this stage, there is a potential security risk.
We shall track progress in https://bugreports.qt.io/browse/QTBUG-133397.
Once a solution is in place, we'll revert back to you.
Brgds
Axel
________________________________
From: Development <development-bounces at qt-project.org> on behalf of Benjamin TERRIER <b.terrier at gmail.com>
Sent: Monday, 3 February 2025 09:51
To: Qt Development ML <development at qt-project.org>
Subject: [Development] Qt 6.8.2 security vulnerability when cloning Qt from github.com
Hi,
Short after Qt 6.8.2 was released I reported https://bugreports.qt.io/browse/QTBUG-133397
The issues is that the submodule qttools/src/assistant/qlitehtml<https://code.qt.io/cgit/qt/qttools.git/tree/.gitmodules?h=6.8.2> is using a relative path: ../../playground/qlitehtml.git
Because of qtlitehtml repo is under playground/ and not under qt/ directory, this relative path is meaningless almost everywhere except on code.qt.io<http://code.qt.io/>.
In particular on github.com<http://github.com/>, it points to https://github.com/playground/qlitehtml.git
The issue is that anyone controlling the https://github.com/playground account is able to have Qt users checkout their own qlitehtml repo, with potentially malicious changes.
Luckily for now the repo https://github.com/playground/qlitehtml.git does not exist and the cloning process fails (which is already bad on its own).
Right now I would advocate for moving qlitehtml repo from playground to qt and take proper action so that developers cloning Qt from github.com<http://github.com/>, or other online git services, do not end up cloning repos from random 3rd parties.
In the long term, there should be rules and checks put in place to ensure submodules in qt repos do not use relative urls to points to repos outside of the qt/ directory.
Regards,
Benjamin Terrier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20250203/32b9f9ac/attachment-0001.htm>
More information about the Development
mailing list