Hi Benjamin, following up on my previous email: The issue has been fixed with https://codereview.qt-project.org/c/qt/qttools/+/622360 The change was cherry picked to 6.9 and 6.8. It will be available in the next patch releases. Thanks again for spotting and reporting.
Brgds Axel ________________________________ From: Axel Spoerl <axel.spo...@qt.io> Sent: Monday, 3 February 2025 16:36 To: Qt Development ML <development@qt-project.org> Subject: Re: [Development] Qt 6.8.2 security vulnerability when cloning Qt from github.com Hi Benjamin, thanks for flagging this. It's a valid issue, which we shall address swiftly. Your assessment is correct: While just annoying at this stage, there is a potential security risk. We shall track progress in https://bugreports.qt.io/browse/QTBUG-133397. Once a solution is in place, we'll revert back to you. Brgds Axel ________________________________ From: Development <development-boun...@qt-project.org> on behalf of Benjamin TERRIER <b.terr...@gmail.com> Sent: Monday, 3 February 2025 09:51 To: Qt Development ML <development@qt-project.org> Subject: [Development] Qt 6.8.2 security vulnerability when cloning Qt from github.com Hi, Short after Qt 6.8.2 was released I reported https://bugreports.qt.io/browse/QTBUG-133397 The issues is that the submodule qttools/src/assistant/qlitehtml<https://code.qt.io/cgit/qt/qttools.git/tree/.gitmodules?h=6.8.2> is using a relative path: ../../playground/qlitehtml.git Because of qtlitehtml repo is under playground/ and not under qt/ directory, this relative path is meaningless almost everywhere except on code.qt.io<http://code.qt.io/>. In particular on github.com<http://github.com/>, it points to https://github.com/playground/qlitehtml.git The issue is that anyone controlling the https://github.com/playground account is able to have Qt users checkout their own qlitehtml repo, with potentially malicious changes. Luckily for now the repo https://github.com/playground/qlitehtml.git does not exist and the cloning process fails (which is already bad on its own). Right now I would advocate for moving qlitehtml repo from playground to qt and take proper action so that developers cloning Qt from github.com<http://github.com/>, or other online git services, do not end up cloning repos from random 3rd parties. In the long term, there should be rules and checks put in place to ensure submodules in qt repos do not use relative urls to points to repos outside of the qt/ directory. Regards, Benjamin Terrier
-- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
