Third Party Code in Qt: Difference between revisions
Jump to navigation
Jump to search
Manordheim (talk | contribs) m (zlib has been updated and we no longer carry extra security fixes for it) |
Manordheim (talk | contribs) m (Added note on a patch we apply for our sha-3 dependency) |
||
Line 27: | Line 27: | ||
|sha3 | |sha3 | ||
|arbitrary stream of bytes | |arbitrary stream of bytes | ||
| - | |A patch that addresses CVE-2022-37454 | ||
|https://keccak.team/archives.html | |https://keccak.team/archives.html | ||
|None, the upstream implementation is obsolete. Look for CVEs | |None, the upstream implementation is obsolete. Look for CVEs |
Revision as of 12:13, 13 March 2023
This page provides security- and maintenance-relevant information for the 3rd party code in Qt. For a complete list of 3rd party modules, including the currently included version, see the documentation page with the list of licenses used in Qt.
repository | Qt module | 3rdparty module | processed untrusted content | patches | upstream | upgrade process |
---|---|---|---|---|---|---|
qtbase | Qt Core | pcre2 | regular expressions | - | http://www.pcre.org/ | Routine pre-release checks of their release page on GitHub. Their front-page is lagging a little behind at time of writing. |
qtbase | Qt Core | sha1 | arbitrary stream of bytes | - | https://www.dominik-reichl.de/projects/csha1/ | Replace the .cpp file with the new version from upstream |
qtbase | Qt Core | sha{224,256,384,512} | arbitrary stream of bytes | - | https://www.rfc-editor.org/rfc/rfc6234#section-8 | None, maybe look at errata or CVEs |
qtbase | Qt Core | sha3 | arbitrary stream of bytes | A patch that addresses CVE-2022-37454 | https://keccak.team/archives.html | None, the upstream implementation is obsolete. Look for CVEs |
qtbase | Qt Core | tinycbor | Streaming CBOR object | - | https://github.com/intel/tinycbor | Thiago is its maintainer, so brings us updates when he makes them. |
qtbase | Qt Core | zlib | zlib compressed data | build fixes for Windows and Apple; exporting symbols | http://zlib.net/ | Routine pre-release check of their front page, which links the latest release. |
qtbase | Qt GUI | harfbuzz-ng | fonts | - | ||
qtbase | Qt GUI | freetype | fonts | - | https://gitlab.freedesktop.org/freetype | fetch latest tar-ball, run script. Might involve manual fixing of license and build system files, depending on what changed upstream. |
qtbase | Qt GUI | libpng | PNG images | - | http://www.libpng.org/pub/png/libpng.html | |
qtbase | Qt GUI | libjpeg | JPEG images | - | https://sourceforge.net/projects/libjpeg-turbo/ | |
qtbase | Qt GUI | md4c | markdown text | Fix compiler warnings with MSVC | ||
qtbase | Qt Network | Public Suffix List | only indirectly | - | https://publicsuffix.org/list/ | Download the recent version of the list. Then follow the instructions in src/3rdparty/libpsl/README.txt to regenerate our sources.
Then bump qt_attribution.json SHA to the latest from their repo. |
qtbase | Qt SQL | sqlite | SQL database files and queries | - | https://sqlite.org | Download the latest source code amalgation package and unzip into relevant directory |
qtimageformats | Qt ImageFormats | libtiff | TIFF images | - | https://gitlab.com/libtiff/libtiff | |
qtimageformats | Qt ImageFormats | libwebp | webp images | - | https://developers.google.com/speed/webp | |
qtmultimedia | Qt Multimedia | FFmpeg | Decoding compressed audio & video | FFmpeg is provisioned in CI and used by the binary packages | ||
qtmultimedia | Qt Spatial Audio | Eigen | Processing of audio data | - | ||
qtmultimedia | Qt Spatial Audio | pffft | Processing of audio data | - | ||
qtmultimedia | Qt Spatial Audio | resonance audio | Processing of audio data | - | ||
qtquick3d | Qt Quick 3D | assimp | 3D assets | - | ||
qtquick3d | Qt Quick 3D | tinyexr | Loading EXR images | - | ||
qtquick3dphysics | Qt Quick 3D Physics | PhysX | Read/write meshes | Build fixes | https://github.com/NVIDIAGameWorks/PhysX | See src/3rdparty/PhysX/README.md |