Security advisory: FreeType in Qt

安全提示：Qt中的FreeType

Wednesday July 27, 2022 by Andy Shaw | Comments

​2022年7月27日星期三，Andy Shaw评论

There have been three vulnerabilities found in FreeType recently and they have been assigned the CVE ids CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. This has been fixed in the latest version of FreeType – v2.12.1

​最近在FreeType中发现了三个漏洞，它们被指定为CVE ID CVE-2022-27404、CVE-2022-27405、CVE-2022-27406。这已在最新版本的FreeType–v2.12.1中修复

These effects configurations of Qt that have been built against the bundled version of FreeType. If you are using a pre-built version of Qt then this will be using the bundled version of FreeType by default, otherwise you will be using the system version by default, in which case you should check if the system needs to be updated or not. If the system needs to be updated, then updating it is enough to solve the issue. There is no need to rebuild Qt in that case.

这些影响了针对FreeType捆绑版本构建的Qt配置。如果您使用的是Qt的预构建版本，那么默认情况下将使用FreeType的捆绑版本，否则默认情况下将使用系统版本，在这种情况下，您应该检查是否需要更新系统。如果需要更新系统，那么更新它就足以解决问题。在这种情况下，没有必要重建Qt。

Solution: To work-around it, then update your system version of FreeType to at least v2.12.1 and reconfigure and build Qt to use the system version of FreeType. Or apply the following patch or update to Qt 6.3.2 when it is released.

解决方案：解决这个问题，然后将FreeType的系统版本更新到至少v2.12.1，并重新配置和构建Qt以使用FreeType的系统版本。或者在Qt 6.3.2发布时，对其应用以下补丁或更新。

Patches:

修补程序：

dev: https://codereview.qt-project.org/c/qt/qtbase/+/422316
6.4: https://codereview.qt-project.org/c/qt/qtbase/+/423390
6.3: https://codereview.qt-project.org/c/qt/qtbase/+/423391 or https://download.qt.io/official_releases/qt/6.3/CVE-2022-27404-27405-27406-qtbase-6.3.diff
6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423393 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-27404-27405-27406-qtbase-6.2.diff
5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423394 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-27406-qtbase-5.15.diff