Third Party Code in Qt: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
m (zlib has been updated and we no longer carry extra security fixes for it)
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 27: Line 27:
|sha3
|sha3
|arbitrary stream of bytes
|arbitrary stream of bytes
| -
|A patch that addresses CVE-2022-37454
|https://keccak.team/archives.html
|https://keccak.team/archives.html
|None, the upstream implementation is obsolete. Look for CVEs
|None, the upstream implementation is obsolete. Look for CVEs
Line 46: Line 46:
|-
|-
|qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| ||
|qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| ||
|-
|qtbase
|Qt GUI
|emoji segmenter
|any visual text
|
|https://github.com/google/emoji-segmenter/
|Fetch latest version tag from repository and copy in the files
|-
|-
|qtbase||Qt Network||Public Suffix List||only indirectly||-||https://publicsuffix.org/list/
|qtbase||Qt Network||Public Suffix List||only indirectly||-||https://publicsuffix.org/list/


https://github.com/publicsuffix/list
https://github.com/publicsuffix/list
|Download the recent version of the list. Then follow the instructions in src/3rdparty/libpsl/README.txt to regenerate our sources.
|Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat)
Then, for >=6.5
 
- follow the instructions in src/3rdparty/libpsl/README.txt
 
For 6.2 (while it's supported) (easiest on Linux/Unix):
 
- Build the tool in ./util/publicSuffix
 
- Run once to see instructions
 
- Follow the instructions
 
- You have to manually replace the appropriate section of qurltlds_p.h
 
For 5.15 (while it's supported) (easiest on Linux/Unix)
 
- Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location
 
- note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch
 
 
Finally, for all versions:
 
Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo.


Then bump qt_attribution.json  SHA to the latest from their repo.
Basically just go through commits from the top until you see the changes from that commit in the .dat file.
|-
|-
|qtbase||Qt SQL||sqlite||SQL database files and queries||-||https://sqlite.org
|qtbase||Qt SQL||sqlite||SQL database files and queries||-||https://sqlite.org

Latest revision as of 10:48, 19 November 2024

This page provides security- and maintenance-relevant information for the 3rd party code in Qt. For a complete list of 3rd party modules, including the currently included version, see the documentation page with the list of licenses used in Qt.

repository Qt module 3rdparty module processed untrusted content patches upstream upgrade process
qtbase Qt Core pcre2 regular expressions - http://www.pcre.org/ Routine pre-release checks of their release page on GitHub. Their front-page is lagging a little behind at time of writing.
qtbase Qt Core sha1 arbitrary stream of bytes - https://www.dominik-reichl.de/projects/csha1/ Replace the .cpp file with the new version from upstream
qtbase Qt Core sha{224,256,384,512} arbitrary stream of bytes - https://www.rfc-editor.org/rfc/rfc6234#section-8 None, maybe look at errata or CVEs
qtbase Qt Core sha3 arbitrary stream of bytes A patch that addresses CVE-2022-37454 https://keccak.team/archives.html None, the upstream implementation is obsolete. Look for CVEs
qtbase Qt Core tinycbor Streaming CBOR object - https://github.com/intel/tinycbor Thiago is its maintainer, so brings us updates when he makes them.
qtbase Qt Core zlib zlib compressed data build fixes for Windows and Apple; exporting symbols http://zlib.net/ Routine pre-release check of their front page, which links the latest release.
qtbase Qt GUI harfbuzz-ng fonts -
qtbase Qt GUI freetype fonts - https://gitlab.freedesktop.org/freetype fetch latest tar-ball, run script. Might involve manual fixing of license and build system files, depending on what changed upstream.
qtbase Qt GUI libpng PNG images - http://www.libpng.org/pub/png/libpng.html
qtbase Qt GUI libjpeg JPEG images - https://sourceforge.net/projects/libjpeg-turbo/
qtbase Qt GUI md4c markdown text Fix compiler warnings with MSVC
qtbase Qt GUI emoji segmenter any visual text https://github.com/google/emoji-segmenter/ Fetch latest version tag from repository and copy in the files
qtbase Qt Network Public Suffix List only indirectly - https://publicsuffix.org/list/

https://github.com/publicsuffix/list

Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat)

Then, for >=6.5

- follow the instructions in src/3rdparty/libpsl/README.txt

For 6.2 (while it's supported) (easiest on Linux/Unix):

- Build the tool in ./util/publicSuffix

- Run once to see instructions

- Follow the instructions

- You have to manually replace the appropriate section of qurltlds_p.h

For 5.15 (while it's supported) (easiest on Linux/Unix)

- Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location

- note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch


Finally, for all versions:

Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo.

Basically just go through commits from the top until you see the changes from that commit in the .dat file.

qtbase Qt SQL sqlite SQL database files and queries - https://sqlite.org Download the latest source code amalgation package and unzip into relevant directory
qtimageformats Qt ImageFormats libtiff TIFF images - https://gitlab.com/libtiff/libtiff
qtimageformats Qt ImageFormats libwebp webp images - https://developers.google.com/speed/webp
qtmultimedia Qt Multimedia FFmpeg Decoding compressed audio & video FFmpeg is provisioned in CI and used by the binary packages
qtmultimedia Qt Spatial Audio Eigen Processing of audio data -
qtmultimedia Qt Spatial Audio pffft Processing of audio data -
qtmultimedia Qt Spatial Audio resonance audio Processing of audio data -
qtquick3d Qt Quick 3D assimp 3D assets -
qtquick3d Qt Quick 3D tinyexr Loading EXR images -
qtquick3dphysics Qt Quick 3D Physics PhysX Read/write meshes Build fixes https://github.com/NVIDIAGameWorks/PhysX See src/3rdparty/PhysX/README.md