Security advisory: FreeType in Qt

Security tip: FreeType in Qt

Wednesday July 27, 2022 by Andy Shaw | Comments

​Wednesday, July 27, 2022, commented by Andy Shaw

There have been three vulnerabilities found in FreeType recently and they have been assigned the CVE ids CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. This has been fixed in the latest version of FreeType – v2.12.1

​Three vulnerabilities were recently discovered in FreeType, and they were assigned CVE IDs CVE-2022-27404, CVE-2022-27405, CVE-2022-27406.This has been fixed in the latest version of FreeType – v2.12.1

These effects configurations of Qt that have been built against the bundled version of FreeType. If you are using a pre-built version of Qt then this will be using the bundled version of FreeType by default, otherwise you will be using the systemversion by default, in which case you should check if the system needs to be updated or not. If the system needs to be updated, then updating it is enough to solve the issue. There is no need to rebuild Qt in that case.

These affect the Qt configuration built against the FreeType bundled version.If you are using a pre-built version of Qt then by default the bundled version of FreeType will be used, otherwise the system version will be used by default, in which case you should check if you need to update your system.If the system needs to be updated, then updating it is enough to fix the problem.In this case there is no need to rebuild Qt.

Solution: To work-around it, then update your system version of FreeType to at least v2.12.1 and reconfigure and build Qt to use the system version of FreeType. Or apply the following patch or update to Qt 6.3.2 whenit is released.

Solution: Fix this, then update the system version of FreeType to at least v2.12.1, and reconfigure and build Qt to use the system version of FreeType.Or apply the following patches or updates to Qt 6.3.2 when it is released.

Patches:

Patch:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/422316
6.4: https://codereview.qt-project.org/c/qt/qtbase/+/423390
6.3: https://codereview.qt-project.org/c/qt/qtbase/+/423391 orhttps://download.qt.io/official_releases/qt/6.3/CVE-2022-27404-27405-27406-qtbase-6.3.diff
6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423393 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-27404-27405-27406-qtbase-6.2.diff
5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423394 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-27406-qtbase-5.15.diff