Third Party Code in Qt: Difference between revisions
Jump to navigation
Jump to search
(List of 3rd party components we include in Qt and that consume untrusted data) |
Manordheim (talk | contribs) mNo edit summary |
||
| (24 intermediate revisions by 11 users not shown) | |||
| Line 3: | Line 3: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! repository !! Qt module | !repository!!Qt module!!3rdparty module!!processed untrusted content!!patches!!upstream!!upgrade process | ||
|- | |- | ||
| qtbase | |qtbase||Qt Core||pcre2||regular expressions||-||http://www.pcre.org/<nowiki/>||Routine pre-release checks of their release [https://github.com/PCRE2Project/pcre2/releases page] on GitHub. Their front-page is lagging a little behind at time of writing. | ||
|- | |- | ||
| qtbase | |qtbase | ||
|Qt Core | |||
|sha1 | |||
|arbitrary stream of bytes | |||
| - | |||
|https://www.dominik-reichl.de/projects/csha1/ | |||
|Replace the .cpp file with the new version from upstream | |||
|- | |- | ||
| qtbase | |qtbase | ||
|Qt Core | |||
|sha{224,256,384,512} | |||
|arbitrary stream of bytes | |||
| - | |||
|https://www.rfc-editor.org/rfc/rfc6234#section-8 | |||
|None, maybe look at errata or CVEs | |||
|- | |- | ||
| qtbase | |qtbase | ||
|Qt Core | |||
|sha3 | |||
|arbitrary stream of bytes | |||
|A patch that addresses CVE-2022-37454 | |||
|https://keccak.team/archives.html | |||
|None, the upstream implementation is obsolete. Look for CVEs | |||
|- | |- | ||
| qtbase || Qt | |qtbase||Qt Core||tinycbor||Streaming CBOR object||-||https://github.com/intel/tinycbor<nowiki/>||Thiago is its maintainer, so brings us updates when he makes them. | ||
|- | |- | ||
| qtbase || Qt | |qtbase||Qt Core||zlib||zlib compressed data||build fixes for Windows and Apple; exporting symbols||http://zlib.net/<nowiki/>||Routine pre-release check of their front page, which links the latest release. | ||
|- | |- | ||
| qtbase || Qt GUI || | |qtbase||Qt GUI||harfbuzz-ng||fonts||-|| | ||
|- | |- | ||
| qtbase || Qt GUI || | |qtbase||Qt GUI||freetype||fonts||-||https://gitlab.freedesktop.org/freetype<nowiki/>||fetch latest tar-ball, run [https://code.qt.io/cgit/qt/qtbase.git/tree/src/3rdparty/freetype/import_from_tarball.sh script]. Might involve manual fixing of license and build system files, depending on what changed upstream. | ||
|- | |- | ||
| qtbase || Qt | |qtbase||Qt GUI||libpng||PNG images||-||http://www.libpng.org/pub/png/libpng.html | ||
| | |||
|- | |- | ||
| | |qtbase||Qt GUI||libjpeg||JPEG images||-||https://sourceforge.net/projects/libjpeg-turbo/ | ||
| | |||
|- | |- | ||
| | |qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| || | ||
|- | |- | ||
| | |qtbase | ||
|Qt GUI | |||
|emoji segmenter | |||
|any visual text | |||
| | |||
|https://github.com/google/emoji-segmenter/ | |||
|Fetch latest version tag from repository and copy in the files | |||
|- | |- | ||
| qtquick3d || Qt Quick 3D || tinyexr || Loading EXR images || - || | |qtbase||Qt Network||Public Suffix List||only indirectly||-||https://publicsuffix.org/list/ | ||
https://github.com/publicsuffix/list | |||
| - If in dev: | |||
- Update the pick-to branches in '''util/update_public_suffix_list.sh''' | |||
- Then run the script | |||
|- | |||
|qtbase||Qt SQL||sqlite||SQL database files and queries||-||https://sqlite.org | |||
|Download the latest source code amalgation package and unzip into relevant directory | |||
|- | |||
|qtimageformats||Qt ImageFormats||libtiff||TIFF images||-||https://gitlab.com/libtiff/libtiff<nowiki/>|| | |||
|- | |||
|qtimageformats||Qt ImageFormats||libwebp||webp images||-||https://developers.google.com/speed/webp | |||
| | |||
|- | |||
|qtmultimedia||Qt Multimedia||FFmpeg||Decoding compressed audio & video||FFmpeg is provisioned in CI and used by the binary packages|| || | |||
|- | |||
|qtmultimedia||Qt Spatial Audio||Eigen||Processing of audio data coming from trusted sources||-|| || | |||
|- | |||
|qtmultimedia||Qt Spatial Audio||pffft||Processing of audio data coming from trusted sources||-|| || | |||
|- | |||
|qtmultimedia||Qt Spatial Audio||resonance audio||Processing of audio data||-|| || | |||
|- | |||
|qtquick3d||Qt Quick 3D||assimp||3D assets||-|| || | |||
|- | |||
|qtquick3d||Qt Quick 3D||tinyexr||Loading EXR images||-|| || | |||
|- | |||
|qtquick3dphysics||Qt Quick 3D Physics||PhysX||Read/write meshes||Build fixes||https://github.com/NVIDIAGameWorks/PhysX<nowiki/>||See src/3rdparty/PhysX/README.md | |||
|} | |} | ||
Latest revision as of 14:02, 18 June 2025
This page provides security- and maintenance-relevant information for the 3rd party code in Qt. For a complete list of 3rd party modules, including the currently included version, see the documentation page with the list of licenses used in Qt.
| repository | Qt module | 3rdparty module | processed untrusted content | patches | upstream | upgrade process |
|---|---|---|---|---|---|---|
| qtbase | Qt Core | pcre2 | regular expressions | - | http://www.pcre.org/ | Routine pre-release checks of their release page on GitHub. Their front-page is lagging a little behind at time of writing. |
| qtbase | Qt Core | sha1 | arbitrary stream of bytes | - | https://www.dominik-reichl.de/projects/csha1/ | Replace the .cpp file with the new version from upstream |
| qtbase | Qt Core | sha{224,256,384,512} | arbitrary stream of bytes | - | https://www.rfc-editor.org/rfc/rfc6234#section-8 | None, maybe look at errata or CVEs |
| qtbase | Qt Core | sha3 | arbitrary stream of bytes | A patch that addresses CVE-2022-37454 | https://keccak.team/archives.html | None, the upstream implementation is obsolete. Look for CVEs |
| qtbase | Qt Core | tinycbor | Streaming CBOR object | - | https://github.com/intel/tinycbor | Thiago is its maintainer, so brings us updates when he makes them. |
| qtbase | Qt Core | zlib | zlib compressed data | build fixes for Windows and Apple; exporting symbols | http://zlib.net/ | Routine pre-release check of their front page, which links the latest release. |
| qtbase | Qt GUI | harfbuzz-ng | fonts | - | ||
| qtbase | Qt GUI | freetype | fonts | - | https://gitlab.freedesktop.org/freetype | fetch latest tar-ball, run script. Might involve manual fixing of license and build system files, depending on what changed upstream. |
| qtbase | Qt GUI | libpng | PNG images | - | http://www.libpng.org/pub/png/libpng.html | |
| qtbase | Qt GUI | libjpeg | JPEG images | - | https://sourceforge.net/projects/libjpeg-turbo/ | |
| qtbase | Qt GUI | md4c | markdown text | Fix compiler warnings with MSVC | ||
| qtbase | Qt GUI | emoji segmenter | any visual text | https://github.com/google/emoji-segmenter/ | Fetch latest version tag from repository and copy in the files | |
| qtbase | Qt Network | Public Suffix List | only indirectly | - | https://publicsuffix.org/list/ | - If in dev:
- Update the pick-to branches in util/update_public_suffix_list.sh - Then run the script |
| qtbase | Qt SQL | sqlite | SQL database files and queries | - | https://sqlite.org | Download the latest source code amalgation package and unzip into relevant directory |
| qtimageformats | Qt ImageFormats | libtiff | TIFF images | - | https://gitlab.com/libtiff/libtiff | |
| qtimageformats | Qt ImageFormats | libwebp | webp images | - | https://developers.google.com/speed/webp | |
| qtmultimedia | Qt Multimedia | FFmpeg | Decoding compressed audio & video | FFmpeg is provisioned in CI and used by the binary packages | ||
| qtmultimedia | Qt Spatial Audio | Eigen | Processing of audio data coming from trusted sources | - | ||
| qtmultimedia | Qt Spatial Audio | pffft | Processing of audio data coming from trusted sources | - | ||
| qtmultimedia | Qt Spatial Audio | resonance audio | Processing of audio data | - | ||
| qtquick3d | Qt Quick 3D | assimp | 3D assets | - | ||
| qtquick3d | Qt Quick 3D | tinyexr | Loading EXR images | - | ||
| qtquick3dphysics | Qt Quick 3D Physics | PhysX | Read/write meshes | Build fixes | https://github.com/NVIDIAGameWorks/PhysX | See src/3rdparty/PhysX/README.md |