summaryrefslogtreecommitdiffstats
path: root/src/3rdparty
diff options
context:
space:
mode:
authorKai Köhne <kai.koehne@qt.io>2023-03-06 12:32:24 +0100
committerKai Köhne <kai.koehne@qt.io>2023-03-31 02:10:53 +0100
commit1ba89e35bd2f10524441c1449d476ba1952c3ace (patch)
treea02a986bb23a285b0e670cadbb2998dba6aba664 /src/3rdparty
parent7350088ab7ef55f51325fc6a48320a1cdc87bd28 (diff)
Highlight third-party modules that are security critical
Mark any modules listed as 'processing untrusted content' in https://wiki.qt.io/Third_Party_Code_in_Qt also in the qt_attribution.json files. For reasoning, see also https://lists.qt-project.org/pipermail/development/2023-February/043667.html Pick-to: 6.5 Change-Id: Id547d4f7e77dac8c7e8e382e65169e7bd0330fcf Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src/3rdparty')
-rw-r--r--src/3rdparty/freetype/qt_attribution.json2
-rw-r--r--src/3rdparty/harfbuzz-ng/qt_attribution.json2
-rw-r--r--src/3rdparty/libjpeg/qt_attribution.json3
-rw-r--r--src/3rdparty/libpng/qt_attribution.json3
-rw-r--r--src/3rdparty/libpsl/qt_attribution.json3
-rw-r--r--src/3rdparty/md4c/qt_attribution.json1
-rw-r--r--src/3rdparty/pcre2/qt_attribution.json1
-rw-r--r--src/3rdparty/sqlite/qt_attribution.json1
-rw-r--r--src/3rdparty/tinycbor/qt_attribution.json1
-rw-r--r--src/3rdparty/zlib/qt_attribution.json2
10 files changed, 19 insertions, 0 deletions
diff --git a/src/3rdparty/freetype/qt_attribution.json b/src/3rdparty/freetype/qt_attribution.json
index abfc43aaf1..407cdd3bf1 100644
--- a/src/3rdparty/freetype/qt_attribution.json
+++ b/src/3rdparty/freetype/qt_attribution.json
@@ -4,10 +4,12 @@
"Name": "Freetype 2",
"QDocModule": "qtgui",
"QtUsage": "Optionally used in Qt GUI and platform plugins. Configure with -no-freetype, or -system-freetype to avoid.",
+ "SecurityCritical": true,
"Description": "FreeType is a freely available software library to render fonts.",
"Homepage": "http://www.freetype.org",
"Version": "2.13.0",
+ "DownloadLocation": "https://download.savannah.gnu.org/releases/freetype/freetype-2.13.0.tar.gz",
"License": "Freetype Project License or GNU General Public License v2.0 only",
"LicenseId": "FTL OR GPL-2.0",
diff --git a/src/3rdparty/harfbuzz-ng/qt_attribution.json b/src/3rdparty/harfbuzz-ng/qt_attribution.json
index 1779409e3b..f7aa46c34f 100644
--- a/src/3rdparty/harfbuzz-ng/qt_attribution.json
+++ b/src/3rdparty/harfbuzz-ng/qt_attribution.json
@@ -3,10 +3,12 @@
"Name": "HarfBuzz-NG",
"QDocModule": "qtgui",
"QtUsage": "Optionally used in Qt GUI. Configure with -system-harfbuzz to force the use of the system library, or -qt-harfbuzz to link statically to the library that is bundled with your Qt version.",
+ "SecurityCritical": true,
"Description": "HarfBuzz is an OpenType text shaping engine.",
"Homepage": "http://harfbuzz.org",
"Version": "7.0.1",
+ "DownloadLocation": "https://github.com/harfbuzz/harfbuzz/releases/tag/7.1.0",
"License": "MIT License",
"LicenseId": "MIT",
diff --git a/src/3rdparty/libjpeg/qt_attribution.json b/src/3rdparty/libjpeg/qt_attribution.json
index c22c16ea9a..dc9ebdbdc1 100644
--- a/src/3rdparty/libjpeg/qt_attribution.json
+++ b/src/3rdparty/libjpeg/qt_attribution.json
@@ -3,10 +3,13 @@
"Name": "LibJPEG-turbo",
"QDocModule": "qtgui",
"QtUsage": "Used in the qjpeg image plugin. Configure with -system-libjpeg or -no-libjpeg to avoid.",
+ "SecurityCritical": true,
"Description": "The Independent JPEG Group's JPEG software",
"Homepage": "http://libjpeg-turbo.virtualgl.org/",
"Version": "2.1.5",
+ "DownloadLocation": "https://sourceforge.net/projects/libjpeg-turbo/files/2.1.5/libjpeg-turbo-2.1.5.tar.gz",
+
"License": "Independent JPEG Group License and BSD 3-Clause \"New\" or \"Revised\" License and zlib License",
"LicenseId": "IJG AND BSD-3-Clause AND Zlib",
"LicenseFiles": [ "LICENSE", "ijg-license.txt", "zlib-license.txt"],
diff --git a/src/3rdparty/libpng/qt_attribution.json b/src/3rdparty/libpng/qt_attribution.json
index 2c51a05685..8e81298ebd 100644
--- a/src/3rdparty/libpng/qt_attribution.json
+++ b/src/3rdparty/libpng/qt_attribution.json
@@ -3,10 +3,13 @@
"Name": "LibPNG",
"QDocModule": "qtgui",
"QtUsage": "Used in the qpng image plugin. Configure with -system-libpng or -no-libpng to avoid.",
+ "SecurityCritical": true,
"Description": "libpng is the official PNG reference library.",
"Homepage": "http://www.libpng.org/pub/png/libpng.html",
"Version": "1.6.39",
+ "DownloadLocation": "https://download.sourceforge.net/libpng/libpng-1.6.39.tar.xz",
+
"License": "libpng License and PNG Reference Library version 2",
"LicenseId": "Libpng AND libpng-2.0",
"LicenseFile": "LICENSE",
diff --git a/src/3rdparty/libpsl/qt_attribution.json b/src/3rdparty/libpsl/qt_attribution.json
index ebaa4cab04..8561112882 100644
--- a/src/3rdparty/libpsl/qt_attribution.json
+++ b/src/3rdparty/libpsl/qt_attribution.json
@@ -13,6 +13,7 @@ It allows browsers to, for example:
- Highlight the most important part of a domain name in the user interface
- Accurately sort history entries by site",
+ "SecurityCritical": true,
"Files": "psl_data.cpp",
"QtUsage": "Used in Qt Network to avoid setting \"supercookies\" in the cookie jar
@@ -21,6 +22,8 @@ supported by Qt (by the QNetworkCookieJar class).",
"Homepage": "Consult https://github.com/publicsuffix/list for the sha1 but download from ...",
"Homepage": "http://publicsuffix.org/",
"Version": "f15705582ed13f390c59541300dea7288acf4137, fetched on 2023-02-02",
+ "DownloadLocation": "https://publicsuffix.org/list/public_suffix_list.dat",
+
"License": "Mozilla Public License 2.0",
"LicenseFile": "PSL-LICENSE.txt",
"LicenseId": "MPL-2.0",
diff --git a/src/3rdparty/md4c/qt_attribution.json b/src/3rdparty/md4c/qt_attribution.json
index 29c0666f2d..7781971b74 100644
--- a/src/3rdparty/md4c/qt_attribution.json
+++ b/src/3rdparty/md4c/qt_attribution.json
@@ -3,6 +3,7 @@
"Name": "MD4C",
"QDocModule": "qtgui",
"QtUsage": "Optionally used in QTextDocument if configured with textmarkdownreader.",
+ "SecurityCritical": true,
"Description": "A CommonMark-compliant Markdown parser.",
"Homepage": "https://github.com/mity/md4c",
diff --git a/src/3rdparty/pcre2/qt_attribution.json b/src/3rdparty/pcre2/qt_attribution.json
index fce44138cb..5599dd389e 100644
--- a/src/3rdparty/pcre2/qt_attribution.json
+++ b/src/3rdparty/pcre2/qt_attribution.json
@@ -4,6 +4,7 @@
"Name": "PCRE2",
"QDocModule": "qtcore",
"QtUsage": "Optionally used in Qt Core (QRegularExpression). Configure with -system-pcre or -no-pcre to avoid.",
+ "SecurityCritical": true,
"Description": "The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5.",
"Homepage": "http://www.pcre.org/",
diff --git a/src/3rdparty/sqlite/qt_attribution.json b/src/3rdparty/sqlite/qt_attribution.json
index 7d6c542eed..5731eaf7e7 100644
--- a/src/3rdparty/sqlite/qt_attribution.json
+++ b/src/3rdparty/sqlite/qt_attribution.json
@@ -3,6 +3,7 @@
"Name": "SQLite",
"QDocModule": "qtsql",
"QtUsage": "Used in Qt SQL Lite plugin. Configure Qt with -system-sqlite or -no-sqlite to avoid.",
+ "SecurityCritical": true,
"Description": "SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL database engine.",
"Homepage": "https://www.sqlite.org/",
diff --git a/src/3rdparty/tinycbor/qt_attribution.json b/src/3rdparty/tinycbor/qt_attribution.json
index 5fcc82809a..b19c57904b 100644
--- a/src/3rdparty/tinycbor/qt_attribution.json
+++ b/src/3rdparty/tinycbor/qt_attribution.json
@@ -3,6 +3,7 @@
"Name": "TinyCBOR",
"QDocModule": "qtcore",
"QtUsage": "Used for QCborStreamReader and QCborStreamWriter.",
+ "SecurityCritical": true,
"Description": "Concise Binary Object Representation (CBOR) Library",
"Homepage": "https://github.com/intel/tinycbor",
diff --git a/src/3rdparty/zlib/qt_attribution.json b/src/3rdparty/zlib/qt_attribution.json
index db176cbe6a..ba1db3249a 100644
--- a/src/3rdparty/zlib/qt_attribution.json
+++ b/src/3rdparty/zlib/qt_attribution.json
@@ -3,10 +3,12 @@
"Name": "Data Compression Library (zlib)",
"QDocModule": "qtcore",
"QtUsage": "Optionally used in Qt Core and development tools. Configure with -system-zlib to avoid.",
+ "SecurityCritical": true,
"Description": "zlib is a general purpose data compression library.",
"Homepage": "https://zlib.net/",
"Version": "1.2.13",
+ "DownloadLocation": "https://zlib.net/zlib-1.2.13.tar.gz",
"License": "zlib License",
"LicenseId": "Zlib",