Third Party Code in Qt: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
(currently no patches to libpng (v1.6.38))
mNo edit summary
 
(11 intermediate revisions by 5 users not shown)
Line 5: Line 5:
!repository!!Qt module!!3rdparty module!!processed untrusted content!!patches!!upstream!!upgrade process
!repository!!Qt module!!3rdparty module!!processed untrusted content!!patches!!upstream!!upgrade process
|-
|-
|qtbase||Qt Core||pcre2||regular expressions||-||http://www.pcre.org/<nowiki/>||Routine pre-release checks of their release page.
|qtbase||Qt Core||pcre2||regular expressions||-||http://www.pcre.org/<nowiki/>||Routine pre-release checks of their release [https://github.com/PCRE2Project/pcre2/releases page] on GitHub. Their front-page is lagging a little behind at time of writing.
|-
|qtbase
|Qt Core
|sha1
|arbitrary stream of bytes
| -
|https://www.dominik-reichl.de/projects/csha1/
|Replace the .cpp file with the new version from upstream
|-
|qtbase
|Qt Core
|sha{224,256,384,512}
|arbitrary stream of bytes
| -
|https://www.rfc-editor.org/rfc/rfc6234#section-8
|None, maybe look at errata or CVEs
|-
|qtbase
|Qt Core
|sha3
|arbitrary stream of bytes
|A patch that addresses CVE-2022-37454
|https://keccak.team/archives.html
|None, the upstream implementation is obsolete. Look for CVEs
|-
|-
|qtbase||Qt Core||tinycbor||Streaming CBOR object||-||https://github.com/intel/tinycbor<nowiki/>||Thiago is its maintainer, so brings us updates when he makes them.
|qtbase||Qt Core||tinycbor||Streaming CBOR object||-||https://github.com/intel/tinycbor<nowiki/>||Thiago is its maintainer, so brings us updates when he makes them.
|-
|-
|qtbase||Qt Core||zlib||zlib compressed data||build fixes for Windows and Apple; exporting symbols; security fixes not yet released by upstream||http://zlib.net/<nowiki/>||Routine pre-release check of their front page, which links the latest release.
|qtbase||Qt Core||zlib||zlib compressed data||build fixes for Windows and Apple; exporting symbols||http://zlib.net/<nowiki/>||Routine pre-release check of their front page, which links the latest release.
|-
|-
|qtbase||Qt GUI||harfbuzz-ng||fonts||-||
|qtbase||Qt GUI||harfbuzz-ng||fonts||-||
Line 15: Line 39:
|qtbase||Qt GUI||freetype||fonts||-||https://gitlab.freedesktop.org/freetype<nowiki/>||fetch latest tar-ball, run [https://code.qt.io/cgit/qt/qtbase.git/tree/src/3rdparty/freetype/import_from_tarball.sh script]. Might involve manual fixing of license and build system files, depending on what changed upstream.
|qtbase||Qt GUI||freetype||fonts||-||https://gitlab.freedesktop.org/freetype<nowiki/>||fetch latest tar-ball, run [https://code.qt.io/cgit/qt/qtbase.git/tree/src/3rdparty/freetype/import_from_tarball.sh script]. Might involve manual fixing of license and build system files, depending on what changed upstream.
|-
|-
|qtbase||Qt GUI||libpng||PNG images||-||
|qtbase||Qt GUI||libpng||PNG images||-||http://www.libpng.org/pub/png/libpng.html
|
|-
|-
|qtbase||Qt GUI||libjpeg||JPEG images||-||
|qtbase||Qt GUI||libjpeg||JPEG images||-||https://sourceforge.net/projects/libjpeg-turbo/
|
|-
|-
|qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC||
|qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| ||
|-
|-
|qtbase||Qt Network||Public Suffix List||only indirectly||-||
|qtbase||Qt Network||Public Suffix List||only indirectly||-||https://publicsuffix.org/list/
 
https://github.com/publicsuffix/list
|Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat)
Then, for >=6.5
 
- follow the instructions in src/3rdparty/libpsl/README.txt
 
For 6.2 (while it's supported) (easiest on Linux/Unix):
 
- Build the tool in ./util/publicSuffix
 
- Run once to see instructions
 
- Follow the instructions
 
- You have to manually replace the appropriate section of qurltlds_p.h
 
For 5.15 (while it's supported) (easiest on Linux/Unix)
 
- Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location
 
- note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch
 
 
Finally, for all versions:
 
Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo.
 
Basically just go through commits from the top until you see the changes from that commit in the .dat file.
|-
|-
|qtbase||Qt SQL||sqlite||SQL database files and queries||-||
|qtbase||Qt SQL||sqlite||SQL database files and queries||-||https://sqlite.org
|Download the latest source code amalgation package and unzip into relevant directory
|-
|-
|qtimageformats||Qt ImageFormats||libtiff||Loading TIFF images||-||
|qtimageformats||Qt ImageFormats||libtiff||TIFF images||-||https://gitlab.com/libtiff/libtiff<nowiki/>||
|-
|-
|qtimageformats||Qt ImageFormats||libwebp||Loading webp images||-||
|qtimageformats||Qt ImageFormats||libwebp||webp images||-||https://developers.google.com/speed/webp
|
|-
|-
|qtmultimedia
|qtmultimedia||Qt Multimedia||FFmpeg||Decoding compressed audio & video||FFmpeg is provisioned in CI and used by the binary packages|| ||
|Qt Multimedia
|FFmpeg
|Decoding compressed audio & video
|FFmpeg is provisioned in CI and used by the binary packages
|
|-
|-
|qtmultimedia
|qtmultimedia||Qt Spatial Audio||Eigen||Processing of audio data||-|| ||
|Qt Spatial Audio
|Eigen
|Processing of audio data
|
|
|-
|-
|qtmultimedia
|qtmultimedia||Qt Spatial Audio||pffft||Processing of audio data||-|| ||
|Qt Spatial Audio
|pffft
|Processing of audio data
|
|
|-
|-
|qtmultimedia
|qtmultimedia||Qt Spatial Audio||resonance audio||Processing of audio data||-|| ||
|Qt Spatial Audio
|resonance audio
|Processing of audio data
|
|
|-
|-
|qtquick3d||Qt Quick 3D||assimp||3D assets||-||
|qtquick3d||Qt Quick 3D||assimp||3D assets||-|| ||
|-
|-
|qtquick3d||Qt Quick 3D||tinyexr||Loading EXR images||-||
|qtquick3d||Qt Quick 3D||tinyexr||Loading EXR images||-|| ||
|-
|-
|qtquick3dphysics||Qt Quick 3D Physics||PhysX||Read/write meshes||Build fixes||
|qtquick3dphysics||Qt Quick 3D Physics||PhysX||Read/write meshes||Build fixes||https://github.com/NVIDIAGameWorks/PhysX<nowiki/>||See src/3rdparty/PhysX/README.md
|}
|}

Latest revision as of 08:39, 27 September 2023

This page provides security- and maintenance-relevant information for the 3rd party code in Qt. For a complete list of 3rd party modules, including the currently included version, see the documentation page with the list of licenses used in Qt.

repository Qt module 3rdparty module processed untrusted content patches upstream upgrade process
qtbase Qt Core pcre2 regular expressions - http://www.pcre.org/ Routine pre-release checks of their release page on GitHub. Their front-page is lagging a little behind at time of writing.
qtbase Qt Core sha1 arbitrary stream of bytes - https://www.dominik-reichl.de/projects/csha1/ Replace the .cpp file with the new version from upstream
qtbase Qt Core sha{224,256,384,512} arbitrary stream of bytes - https://www.rfc-editor.org/rfc/rfc6234#section-8 None, maybe look at errata or CVEs
qtbase Qt Core sha3 arbitrary stream of bytes A patch that addresses CVE-2022-37454 https://keccak.team/archives.html None, the upstream implementation is obsolete. Look for CVEs
qtbase Qt Core tinycbor Streaming CBOR object - https://github.com/intel/tinycbor Thiago is its maintainer, so brings us updates when he makes them.
qtbase Qt Core zlib zlib compressed data build fixes for Windows and Apple; exporting symbols http://zlib.net/ Routine pre-release check of their front page, which links the latest release.
qtbase Qt GUI harfbuzz-ng fonts -
qtbase Qt GUI freetype fonts - https://gitlab.freedesktop.org/freetype fetch latest tar-ball, run script. Might involve manual fixing of license and build system files, depending on what changed upstream.
qtbase Qt GUI libpng PNG images - http://www.libpng.org/pub/png/libpng.html
qtbase Qt GUI libjpeg JPEG images - https://sourceforge.net/projects/libjpeg-turbo/
qtbase Qt GUI md4c markdown text Fix compiler warnings with MSVC
qtbase Qt Network Public Suffix List only indirectly - https://publicsuffix.org/list/

https://github.com/publicsuffix/list

Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat)

Then, for >=6.5

- follow the instructions in src/3rdparty/libpsl/README.txt

For 6.2 (while it's supported) (easiest on Linux/Unix):

- Build the tool in ./util/publicSuffix

- Run once to see instructions

- Follow the instructions

- You have to manually replace the appropriate section of qurltlds_p.h

For 5.15 (while it's supported) (easiest on Linux/Unix)

- Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location

- note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch


Finally, for all versions:

Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo.

Basically just go through commits from the top until you see the changes from that commit in the .dat file.

qtbase Qt SQL sqlite SQL database files and queries - https://sqlite.org Download the latest source code amalgation package and unzip into relevant directory
qtimageformats Qt ImageFormats libtiff TIFF images - https://gitlab.com/libtiff/libtiff
qtimageformats Qt ImageFormats libwebp webp images - https://developers.google.com/speed/webp
qtmultimedia Qt Multimedia FFmpeg Decoding compressed audio & video FFmpeg is provisioned in CI and used by the binary packages
qtmultimedia Qt Spatial Audio Eigen Processing of audio data -
qtmultimedia Qt Spatial Audio pffft Processing of audio data -
qtmultimedia Qt Spatial Audio resonance audio Processing of audio data -
qtquick3d Qt Quick 3D assimp 3D assets -
qtquick3d Qt Quick 3D tinyexr Loading EXR images -
qtquick3dphysics Qt Quick 3D Physics PhysX Read/write meshes Build fixes https://github.com/NVIDIAGameWorks/PhysX See src/3rdparty/PhysX/README.md
Retrieved from "https://wiki.qt.io/index.php?title=Third_Party_Code_in_Qt&oldid=40731"