diff options
author | Kai Köhne <kai.koehne@qt.io> | 2023-03-06 12:32:24 +0100 |
---|---|---|
committer | Kai Köhne <kai.koehne@qt.io> | 2023-03-31 02:10:53 +0100 |
commit | 1ba89e35bd2f10524441c1449d476ba1952c3ace (patch) | |
tree | a02a986bb23a285b0e670cadbb2998dba6aba664 /src/3rdparty | |
parent | 7350088ab7ef55f51325fc6a48320a1cdc87bd28 (diff) |
Highlight third-party modules that are security critical
Mark any modules listed as 'processing untrusted content' in
https://wiki.qt.io/Third_Party_Code_in_Qt also in the
qt_attribution.json files.
For reasoning, see also
https://lists.qt-project.org/pipermail/development/2023-February/043667.html
Pick-to: 6.5
Change-Id: Id547d4f7e77dac8c7e8e382e65169e7bd0330fcf
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src/3rdparty')
-rw-r--r-- | src/3rdparty/freetype/qt_attribution.json | 2 | ||||
-rw-r--r-- | src/3rdparty/harfbuzz-ng/qt_attribution.json | 2 | ||||
-rw-r--r-- | src/3rdparty/libjpeg/qt_attribution.json | 3 | ||||
-rw-r--r-- | src/3rdparty/libpng/qt_attribution.json | 3 | ||||
-rw-r--r-- | src/3rdparty/libpsl/qt_attribution.json | 3 | ||||
-rw-r--r-- | src/3rdparty/md4c/qt_attribution.json | 1 | ||||
-rw-r--r-- | src/3rdparty/pcre2/qt_attribution.json | 1 | ||||
-rw-r--r-- | src/3rdparty/sqlite/qt_attribution.json | 1 | ||||
-rw-r--r-- | src/3rdparty/tinycbor/qt_attribution.json | 1 | ||||
-rw-r--r-- | src/3rdparty/zlib/qt_attribution.json | 2 |
10 files changed, 19 insertions, 0 deletions
diff --git a/src/3rdparty/freetype/qt_attribution.json b/src/3rdparty/freetype/qt_attribution.json index abfc43aaf1..407cdd3bf1 100644 --- a/src/3rdparty/freetype/qt_attribution.json +++ b/src/3rdparty/freetype/qt_attribution.json @@ -4,10 +4,12 @@ "Name": "Freetype 2", "QDocModule": "qtgui", "QtUsage": "Optionally used in Qt GUI and platform plugins. Configure with -no-freetype, or -system-freetype to avoid.", + "SecurityCritical": true, "Description": "FreeType is a freely available software library to render fonts.", "Homepage": "http://www.freetype.org", "Version": "2.13.0", + "DownloadLocation": "https://download.savannah.gnu.org/releases/freetype/freetype-2.13.0.tar.gz", "License": "Freetype Project License or GNU General Public License v2.0 only", "LicenseId": "FTL OR GPL-2.0", diff --git a/src/3rdparty/harfbuzz-ng/qt_attribution.json b/src/3rdparty/harfbuzz-ng/qt_attribution.json index 1779409e3b..f7aa46c34f 100644 --- a/src/3rdparty/harfbuzz-ng/qt_attribution.json +++ b/src/3rdparty/harfbuzz-ng/qt_attribution.json @@ -3,10 +3,12 @@ "Name": "HarfBuzz-NG", "QDocModule": "qtgui", "QtUsage": "Optionally used in Qt GUI. Configure with -system-harfbuzz to force the use of the system library, or -qt-harfbuzz to link statically to the library that is bundled with your Qt version.", + "SecurityCritical": true, "Description": "HarfBuzz is an OpenType text shaping engine.", "Homepage": "http://harfbuzz.org", "Version": "7.0.1", + "DownloadLocation": "https://github.com/harfbuzz/harfbuzz/releases/tag/7.1.0", "License": "MIT License", "LicenseId": "MIT", diff --git a/src/3rdparty/libjpeg/qt_attribution.json b/src/3rdparty/libjpeg/qt_attribution.json index c22c16ea9a..dc9ebdbdc1 100644 --- a/src/3rdparty/libjpeg/qt_attribution.json +++ b/src/3rdparty/libjpeg/qt_attribution.json @@ -3,10 +3,13 @@ "Name": "LibJPEG-turbo", "QDocModule": "qtgui", "QtUsage": "Used in the qjpeg image plugin. Configure with -system-libjpeg or -no-libjpeg to avoid.", + "SecurityCritical": true, "Description": "The Independent JPEG Group's JPEG software", "Homepage": "http://libjpeg-turbo.virtualgl.org/", "Version": "2.1.5", + "DownloadLocation": "https://sourceforge.net/projects/libjpeg-turbo/files/2.1.5/libjpeg-turbo-2.1.5.tar.gz", + "License": "Independent JPEG Group License and BSD 3-Clause \"New\" or \"Revised\" License and zlib License", "LicenseId": "IJG AND BSD-3-Clause AND Zlib", "LicenseFiles": [ "LICENSE", "ijg-license.txt", "zlib-license.txt"], diff --git a/src/3rdparty/libpng/qt_attribution.json b/src/3rdparty/libpng/qt_attribution.json index 2c51a05685..8e81298ebd 100644 --- a/src/3rdparty/libpng/qt_attribution.json +++ b/src/3rdparty/libpng/qt_attribution.json @@ -3,10 +3,13 @@ "Name": "LibPNG", "QDocModule": "qtgui", "QtUsage": "Used in the qpng image plugin. Configure with -system-libpng or -no-libpng to avoid.", + "SecurityCritical": true, "Description": "libpng is the official PNG reference library.", "Homepage": "http://www.libpng.org/pub/png/libpng.html", "Version": "1.6.39", + "DownloadLocation": "https://download.sourceforge.net/libpng/libpng-1.6.39.tar.xz", + "License": "libpng License and PNG Reference Library version 2", "LicenseId": "Libpng AND libpng-2.0", "LicenseFile": "LICENSE", diff --git a/src/3rdparty/libpsl/qt_attribution.json b/src/3rdparty/libpsl/qt_attribution.json index ebaa4cab04..8561112882 100644 --- a/src/3rdparty/libpsl/qt_attribution.json +++ b/src/3rdparty/libpsl/qt_attribution.json @@ -13,6 +13,7 @@ It allows browsers to, for example: - Highlight the most important part of a domain name in the user interface - Accurately sort history entries by site", + "SecurityCritical": true, "Files": "psl_data.cpp", "QtUsage": "Used in Qt Network to avoid setting \"supercookies\" in the cookie jar @@ -21,6 +22,8 @@ supported by Qt (by the QNetworkCookieJar class).", "Homepage": "Consult https://github.com/publicsuffix/list for the sha1 but download from ...", "Homepage": "http://publicsuffix.org/", "Version": "f15705582ed13f390c59541300dea7288acf4137, fetched on 2023-02-02", + "DownloadLocation": "https://publicsuffix.org/list/public_suffix_list.dat", + "License": "Mozilla Public License 2.0", "LicenseFile": "PSL-LICENSE.txt", "LicenseId": "MPL-2.0", diff --git a/src/3rdparty/md4c/qt_attribution.json b/src/3rdparty/md4c/qt_attribution.json index 29c0666f2d..7781971b74 100644 --- a/src/3rdparty/md4c/qt_attribution.json +++ b/src/3rdparty/md4c/qt_attribution.json @@ -3,6 +3,7 @@ "Name": "MD4C", "QDocModule": "qtgui", "QtUsage": "Optionally used in QTextDocument if configured with textmarkdownreader.", + "SecurityCritical": true, "Description": "A CommonMark-compliant Markdown parser.", "Homepage": "https://github.com/mity/md4c", diff --git a/src/3rdparty/pcre2/qt_attribution.json b/src/3rdparty/pcre2/qt_attribution.json index fce44138cb..5599dd389e 100644 --- a/src/3rdparty/pcre2/qt_attribution.json +++ b/src/3rdparty/pcre2/qt_attribution.json @@ -4,6 +4,7 @@ "Name": "PCRE2", "QDocModule": "qtcore", "QtUsage": "Optionally used in Qt Core (QRegularExpression). Configure with -system-pcre or -no-pcre to avoid.", + "SecurityCritical": true, "Description": "The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5.", "Homepage": "http://www.pcre.org/", diff --git a/src/3rdparty/sqlite/qt_attribution.json b/src/3rdparty/sqlite/qt_attribution.json index 7d6c542eed..5731eaf7e7 100644 --- a/src/3rdparty/sqlite/qt_attribution.json +++ b/src/3rdparty/sqlite/qt_attribution.json @@ -3,6 +3,7 @@ "Name": "SQLite", "QDocModule": "qtsql", "QtUsage": "Used in Qt SQL Lite plugin. Configure Qt with -system-sqlite or -no-sqlite to avoid.", + "SecurityCritical": true, "Description": "SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL database engine.", "Homepage": "https://www.sqlite.org/", diff --git a/src/3rdparty/tinycbor/qt_attribution.json b/src/3rdparty/tinycbor/qt_attribution.json index 5fcc82809a..b19c57904b 100644 --- a/src/3rdparty/tinycbor/qt_attribution.json +++ b/src/3rdparty/tinycbor/qt_attribution.json @@ -3,6 +3,7 @@ "Name": "TinyCBOR", "QDocModule": "qtcore", "QtUsage": "Used for QCborStreamReader and QCborStreamWriter.", + "SecurityCritical": true, "Description": "Concise Binary Object Representation (CBOR) Library", "Homepage": "https://github.com/intel/tinycbor", diff --git a/src/3rdparty/zlib/qt_attribution.json b/src/3rdparty/zlib/qt_attribution.json index db176cbe6a..ba1db3249a 100644 --- a/src/3rdparty/zlib/qt_attribution.json +++ b/src/3rdparty/zlib/qt_attribution.json @@ -3,10 +3,12 @@ "Name": "Data Compression Library (zlib)", "QDocModule": "qtcore", "QtUsage": "Optionally used in Qt Core and development tools. Configure with -system-zlib to avoid.", + "SecurityCritical": true, "Description": "zlib is a general purpose data compression library.", "Homepage": "https://zlib.net/", "Version": "1.2.13", + "DownloadLocation": "https://zlib.net/zlib-1.2.13.tar.gz", "License": "zlib License", "LicenseId": "Zlib", |