depends: Qt 5.15.18

[kwvg]

Motivation

Bitcoin switched to Qt 6.x in bitcoin#30997, upgrading from Qt 5.15.16 to Qt 6.7.3. This transition was enabled by, alongside a series of changes to GUI code, migrating the build system to CMake (see bitcoin#30454). While efforts have been undertaken to bridge the gap between the pre-transition Autotools infrastructure and our infrastructure, migration is complicated by two factors:

• The need for significant OOO backports to bridge the gap
• Our divergence from upstream's GUI implementation that will require manual assessment to follow best Qt 6 practices

This means that the timeline to migration is medium-term at best but in the meanwhile, the latest OSS version of Qt is 5.15.18 (source) and between 5.15.16 and 5.15.19 (the as-of-this-writing, still proprietary release of Qt, source), mitigations for vulnerabilities have been included (source).

While Qt 5.15.19 OSS is not available, critical patches shipped with them are. This pull request updates our Qt depends to the latest available OSS release (v5.15.18) and includes the patches included in the 5.15.19 release.

Additional Information

• Guidance on patch application has been taken from the qt@5 Homebrew formula (source).

• The patches themselves have been sourced from Qt (source) and modified to fit the build's directory structure, it should remain identical otherwise.

*clang_18_libpng.patch has been dropped as it is already included in v5.15.18

Breaking Changes

None expected.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas (note: N/A)
• I have added or updated relevant unit/integration/functional/e2e tests (note: N/A)
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[DashCoreAutoGuix]

Guix Automation has began to build this PR tagged as v23.0.0-devpr6949.daa18446. A new comment will be made when the image is pushed.

[kwvg]

Checksums for daa1844

3f7f501aa128e4cd1e5ad6dd65bc69561a558bc45b519f35caa1890a59cfd4d4  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-aarch64-linux-gnu-debug.tar.gz
51df94d1be105841cc0c93898926f6866c58679ca973eff055e54f72f40fc6a5  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-aarch64-linux-gnu.tar.gz
aa4ab4881cbadd0f9751ac413fea3204c19408f8403b61f8a59379f9b8041178  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-arm64-apple-darwin-unsigned.tar.gz
bb91a2fa03481cad121299e41f79e23f26f63afdc5977c419ddb43ef32f85a9c  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-arm64-apple-darwin-unsigned.zip
a73295483543b33a8ed7ca5052b6db89706ee03f3867301f2a67e4c20f89bfcd  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-arm64-apple-darwin.tar.gz
aa5312c81fb692b7c3f70a1e0447d11afbf9ac45d56925ccea27e2688b7dc4b0  dashcore-23.0.0-rc.3-306-gdaa18446c3ca.tar.gz
b8e87181b09fb313ae3826283121ffa82980d30067f2c1e05bfbd53452464ddb  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-riscv64-linux-gnu-debug.tar.gz
299d228e641a9093ae0c4d3a2a77bf9e929a59b67240d0b2eb8d9817be790b19  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-riscv64-linux-gnu.tar.gz
6bfb66fc49798ce8dc82dea868bb25fcf565f857ee172ffdca7bada7b79d6b89  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-x86_64-apple-darwin-unsigned.tar.gz
7d75316338468a54cbe4e9bfe81e91395cada4a9fb97ab55303542a82bc4deed  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-x86_64-apple-darwin-unsigned.zip
d4dd193c92baccc492da8165386aa3120e95f35618db2a8f737dc779efe34ad9  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-x86_64-apple-darwin.tar.gz
ba4f15e40d282ac67635a07b6cf3c271a7657c27b79573ff0eaf97945c9d3ecf  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-x86_64-linux-gnu-debug.tar.gz
a81af68766604f03d413e8b29c8b53c6fad206de5b09947060b01ac2a0fa28f2  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-x86_64-linux-gnu.tar.gz
7b00850ee25cc88fee691f28de9635487b14dfd6c6cca2adb4b918263a76dcfc  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-win64-debug.zip
9b141b010fdb4da498b5804c46c88524f6b0ee1302ca0b498826357aea0b3888  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-win64-setup-unsigned.exe
f746fd5044d5c1e13d022cf961bd8519ef08d95fbc1a1e22045e324186c9ed99  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-win64-unsigned.tar.gz
936de562db808e3240a12d465dd01f83389897447294244e6c92b58aa54e61fe  dashcore-23.0.0-rc.3-306-gdaa18446c3ca-win64.zip

[DashCoreAutoGuix]

Guix Automation has completed; a release should be present here: https://github.com/dashpay/dash-dev-branches/releases/tag/v23.0.0-devpr6949.daa18446. The image should be on dockerhub soon.

[kwvg]

Checksums for 5046964

a1b150babe0849d8670f0bbe62efd7cab32e362aeb39450868e98e02ebb16819  dashcore-23.0.0-rc.3-313-g5046964dbd34-aarch64-linux-gnu-debug.tar.gz
411122ec79ad867f056da34bef2ad85046108c420d2f4e459ee69809a5c20887  dashcore-23.0.0-rc.3-313-g5046964dbd34-aarch64-linux-gnu.tar.gz
9a6315dde412d39214f6652cbc836d697eb78368f20fe0318e5cba34080d6322  dashcore-23.0.0-rc.3-313-g5046964dbd34-arm64-apple-darwin-unsigned.tar.gz
9b04f5895c35cb8f307a64b0aec81b3732cda9d90c221c6b5cb9b22bf0f6472c  dashcore-23.0.0-rc.3-313-g5046964dbd34-arm64-apple-darwin-unsigned.zip
dbb55ed31468348d723e724f5b03880f17b63a1786f4a54fe689aefe1cae0b01  dashcore-23.0.0-rc.3-313-g5046964dbd34-arm64-apple-darwin.tar.gz
26c204ff4ad96bdc949d894c0e561b6f7a74bebea078b1bc290f934281522b64  dashcore-23.0.0-rc.3-313-g5046964dbd34.tar.gz
23a49dc3ca66e8c987e098e7a8695664a187780604d7cbaf73c02665572b9217  dashcore-23.0.0-rc.3-313-g5046964dbd34-riscv64-linux-gnu-debug.tar.gz
7c951305cd819ec286e60e30d0de42e3c183a99068bc9663165037b7f1ecf909  dashcore-23.0.0-rc.3-313-g5046964dbd34-riscv64-linux-gnu.tar.gz
406b7239a18b5f710a60ad2fe1e32d931f2fa1af1e9652578d09ee998d554d48  dashcore-23.0.0-rc.3-313-g5046964dbd34-x86_64-apple-darwin-unsigned.tar.gz
566d92e5f735cfbc1a07e84da4b95046c625d5ad809609ae545671a996ef758a  dashcore-23.0.0-rc.3-313-g5046964dbd34-x86_64-apple-darwin-unsigned.zip
04490ad12bac4577e2286d251d52e3f2de23a637990a5552cfa697cfe721d49f  dashcore-23.0.0-rc.3-313-g5046964dbd34-x86_64-apple-darwin.tar.gz
2940a7dc8269d576c1aa21e1f0b062ec57852078761f7ea8ddbd05a2aef7fa8a  dashcore-23.0.0-rc.3-313-g5046964dbd34-x86_64-linux-gnu-debug.tar.gz
a339db4effe6c1e6c9666220901fa283a7361f6431faef3f2839846e7c37ed48  dashcore-23.0.0-rc.3-313-g5046964dbd34-x86_64-linux-gnu.tar.gz
fc3be63bcd7493e999c8a05dd3072d77802155409faf9ebe877f024bafe7961f  dashcore-23.0.0-rc.3-313-g5046964dbd34-win64-debug.zip
262ddcc0c847f2c7fafbd9e5d27b54e3e0ef93389f721b53fa529ebe9f06a97e  dashcore-23.0.0-rc.3-313-g5046964dbd34-win64-setup-unsigned.exe
38d0b2f022930389bf93fe488997fadf02e908bd60a9c162d09c0988b74c732e  dashcore-23.0.0-rc.3-313-g5046964dbd34-win64-unsigned.tar.gz
18f0e350b2b5d28d0d4c93349d2c3497d8e82c83b6a08137c3c948c5a3c4b3f7  dashcore-23.0.0-rc.3-313-g5046964dbd34-win64.zip

[DashCoreAutoGuix]

Guix Automation has began to build this PR tagged as v23.0.0-devpr6949.5046964d. A new comment will be made when the image is pushed.

[DashCoreAutoGuix]

Guix Automation has completed; a release should be present here: https://github.com/dashpay/dash-dev-branches/releases/tag/v23.0.0-devpr6949.5046964d. The image should be on dockerhub soon.

[DashCoreAutoGuix]

Guix Automation has began to build this PR tagged as v23.0.0-devpr6949.04b647f5. A new comment will be made when the image is pushed.

[coderabbitai]

Walkthrough

This pull request updates the Qt dependency from version 5.15.16 to 5.15.18, replacing SHA256 hashes for the main Qt source, qttranslations, and qttools packages. The patch set is modified by removing the clang_18_libpng.patch and adding three new security patches: CVE-2025-4211-qtbase-5.15.patch, CVE-2025-5455-qtbase-5.15.patch, and CVE-2025-30348-qtbase-5.15.patch. The documentation file is updated to reflect the new Qt version reference.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

• CVE-2025-30348-qtbase-5.15.patch: Contains substantial algorithmic refactoring of XML text encoding with a streaming character-by-character approach replacing in-place string rewrites. Requires careful verification of the logic flow, edge cases (EOL/AVN handling), and codec fallback behavior.
• CVE-2025-4211-qtbase-5.15.patch: Introduces dynamic Windows API resolution using function pointers and GetProcAddress. Requires review of platform-specific behavior, graceful fallback logic, and compatibility implications.
• CVE-2025-5455-qtbase-5.15.patch: Modifies charset detection logic in MIME data URL parsing. Requires verification of string manipulation correctness and edge cases around whitespace and "=" character positioning.
• clang_18_libpng.patch removal: Verify that removal is safe and that no older macOS/PowerPC targets still require the conditional header includes.
• SHA256 hash verification: All four updated hashes (main source, qttranslations, qttools) should be independently verified against the official Qt 5.15.18 release artifacts.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'depends: Qt 5.15.18' clearly and concisely summarizes the main change in the pull request: updating the Qt dependency package to version 5.15.18.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the motivation for the Qt upgrade, the specific version changes, patch updates, and sources for the changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d56bff5 and 04b647f.

📒 Files selected for processing (6)

• depends/packages/qt.mk (3 hunks)
• depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch (1 hunks)
• depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch (1 hunks)
• depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch (1 hunks)
• depends/patches/qt/clang_18_libpng.patch (0 hunks)
• doc/dependencies.md (1 hunks)

💤 Files with no reviewable changes (1)

• depends/patches/qt/clang_18_libpng.patch

🧰 Additional context used

📓 Path-based instructions (2)

doc/**

📄 CodeRabbit inference engine (CLAUDE.md)

Unless specifically prompted, avoid making changes to the doc directory (documentation)

Files:

• doc/dependencies.md

depends/**

📄 CodeRabbit inference engine (CLAUDE.md)

Unless specifically prompted, avoid making changes to the depends directory (dependency build system)

Files:

• depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch
• depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch
• depends/packages/qt.mk
• depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch

🧠 Learnings (2)

📓 Common learnings

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:40-42
Timestamp: 2025-08-11T17:16:36.654Z
Learning: In the Dash repository, when a PR adds new files that are not from Bitcoin backports, these files must be added to the list in test/util/data/non-backported.txt. This applies to newly created files like qt/proposalwizard.{h,cpp} and forms/proposalwizard.ui. Limited exemptions may exist for subtrees and similar cases.

📚 Learning: 2025-08-11T17:16:36.654Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:40-42
Timestamp: 2025-08-11T17:16:36.654Z
Learning: In the Dash repository, when a PR adds new files that are not from Bitcoin backports, these files must be added to the list in test/util/data/non-backported.txt. This applies to newly created files like qt/proposalwizard.{h,cpp} and forms/proposalwizard.ui. Limited exemptions may exist for subtrees and similar cases.

Applied to files:

• doc/dependencies.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: linux64_multiprocess-build / Build source
• GitHub Check: linux64_tsan-build / Build source
• GitHub Check: linux64_nowallet-build / Build source
• GitHub Check: mac-build / Build source
• GitHub Check: arm-linux-build / Build source
• GitHub Check: linux64_sqlite-build / Build source
• GitHub Check: linux64_ubsan-build / Build source
• GitHub Check: linux64-build / Build source
• GitHub Check: linux64_fuzz-build / Build source
• GitHub Check: win64-build / Build source

🔇 Additional comments (5)

depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch (1)

8-18: Upstream fix handles whitespace safely.
Mirrors Qt’s 5.15.19 data URL hardening; trimming via QLatin1String avoids the out-of-bounds read when charset lacks a value while retaining behavior.

doc/dependencies.md (1)

36-36: Docs aligned with Qt 5.15.18 rollout.
Table now points to the updated version and PR so downstream builders see the correct source.

depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch (1)

45-58: Dynamic GetTempPath2 fallback matches upstream guidance.
Preferring GetTempPath2W when available applies the hardened temp-dir semantics without breaking older kernels.

depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch (1)

47-154: Streaming encoder keeps behavior while removing the quadratic writes.
Chunked append preserves AVN/textcodec handling and matches the upstream QTBUG-127549 fix for 5.15.

depends/packages/qt.mk (1)

2-260: Qt package metadata wired correctly for 5.15.18.
Version, tarball hashes, and preprocess patch list move together, with the CVE patches registered in both _patches and _preprocess_cmds.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[DashCoreAutoGuix]

Guix Automation has completed; a release should be present here: https://github.com/dashpay/dash-dev-branches/releases/tag/v23.0.0-devpr6949.04b647f5. The image should be on dockerhub soon.

[PastaPastaPasta]

utACK 04b647f

[PastaPastaPasta]

Marked for release in v23.0.1

[UdjinM6]

light ACK 04b647f