Re: [Development] [Announce] Security advisory: Freetype in Qt

Fri, 19 Aug 2022 10:30:45 -0700 

On 27/7/22 19:15, Thiago Macieira wrote:

On Wednesday, 27 July 2022 09:43:32 PDT Albert Astals Cid wrote:

5.15:
https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-2740
6
-qtbase-5.15.diff


This patch doesn't seem to apply over the v5.15.5-lts-lgpl tag for me, can
someone please double check in case I'm doing something wrong?


Looks like Freetype in the current 5.15 branch does not match what's in the
patch.

$ git show origin/5.15:src/3rdparty/freetype/docs/CHANGES | head -2

CHANGES BETWEEN 2.10.0 and 2.10.1
$ curl -sL https://download.qt.io/official_releases/qt/5.15/
CVE-2022-27404-27405-27406-qtbase-5.15.diff | \
     grep -A3 b/src/3rdparty/freetype/docs/CHANGES
diff --git a/src/3rdparty/freetype/docs/CHANGES b/src/3rdparty/freetype/docs/
CHANGES
index 3bd5291ae1..3ad7ec4333 100644
--- a/src/3rdparty/freetype/docs/CHANGES
+++ b/src/3rdparty/freetype/docs/CHANGES
@@ -1,4 +1,235 @@
-CHANGES BETWEEN 2.10.3 and 2.10.4
+CHANGES BETWEEN 2.12.0 and 2.12.1

The patch was created on top of FreeType 2.10.3, while the branch has 2.10.1.

I repeat :stop using the bundled third party content unless you're willing to
update it yourself. In which case, you should simply update to 2.12.1 on your
own. Ignore the patches in the CVE.




Going forward, don't ship/bundle 3rd party libs, instead add scripts (shell or CMake (the latter has 
support to fetch remote stuff https://cmake.org/cmake/help/latest/module/FetchContent.html)) that 
download that source code from git (at a specific commit hash) or as tarballs and unpack them 
...etc. This approach means you would only need to change one line in a script and users will get 
the latest stable source code of a 3rd party lib the next time they build. "Does the next version of 
lib A build?" that's a question Linux distributions will usually have an answer for; and you will 
have an answer for it too if you use those same scripts to fetch those sources in your e.g. Windows CI.



If you keep bundling them, then the burden of pacthing CVE's in those bundles libs, falls on you 
(any which way you want to look at it, license-wise, morally, legally...).


My 2p's.

Regards,
Ahmad Samir




Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development























					Reply via email to