ProtonBridge bundles vulnerable, EOL Qt versions, doesn't work with current versions

asanyan · October 28, 2024, 11:47pm

Sources

Fails to start with Qt 6.8

opened 10:48AM - 15 Oct 24 UTC

ProtonMail Bridge fails to start / run with `Qt 6.8`. Trying to run `protonma…il-bridge` on a system running with `Qt 6.8` (e.g. Arch Linux) results in the following errors: ![image](https://github.com/user-attachments/assets/00079f39-3a6e-40e8-9a9e-b69e286d5dae) ``` Failed to initialize sentry INFO[Oct 15 10:45:44.228] bridge-gui starting INFO[Oct 15 10:45:44.228] Using Qt 6.8.0 INFO[Oct 15 10:45:44.233] lock file created /home/antiz/.cache/protonmail/bridge-v3/bridge-v3-gui.lock INFO[Oct 15 10:45:44.233] bridge-gui executable: protonmail-bridge INFO[Oct 15 10:45:44.233] Command-line invocation: <none> INFO[Oct 15 10:45:44.233] New Sentry reporter - id: ck7EK24d+dnJLWJIq/C7q4Xx9j8/xT1shTZB9Olrl48=. DEBU[Oct 15 10:45:44.235] Bridge executable path: /usr/lib/protonmail/bridge/bridge INFO[Oct 15 10:45:44.235] Launching bridge process with command "/usr/lib/protonmail/bridge/bridge" --grpc --parent-pid 49846 --launcher protonmail-bridge --session-id 20241015_104544228 INFO[Oct 15 10:45:44.235] Retrieving gRPC service configuration from '/home/antiz/.config/protonmail/bridge-v3/grpcServerConfig.json' INFO[Oct 15 10:45:44.548] Connecting to gRPC service INFO[Oct 15 10:45:44.550] Connection to gRPC server at unix:///tmp/bridge2534. attempt #1 INFO[Oct 15 10:45:44.552] Successfully connected to gRPC server. INFO[Oct 15 10:45:44.552] Client config file was saved to '/home/antiz/.config/protonmail/bridge-v3/grpcClientConfig_0.json' DEBU[Oct 15 10:45:44.552] checkTokens() INFO[Oct 15 10:45:44.553] gRPC token was validated INFO[Oct 15 10:45:44.553] Connected to backend via gRPC service. DEBU[Oct 15 10:45:44.553] version() DEBU[Oct 15 10:45:44.553] EventStreamReader started DEBU[Oct 15 10:45:44.553] goos() DEBU[Oct 15 10:45:44.553] logsPath() DEBU[Oct 15 10:45:44.553] licensePath() DEBU[Oct 15 10:45:44.554] mailServerSettings() DEBU[Oct 15 10:45:44.554] getUserList() ERRO[Oct 15 10:45:44.576] qrc:/qml/Bridge.qml:43 Type Notifications unavailable qrc:/qml/Notifications/Notifications.qml:419 Type MainWindow unavailable qrc:/qml/MainWindow.qml:174 Type SetupWizard unavailable qrc:/qml/SetupWizard/SetupWizard.qml:242 Type Login unavailable qrc:/qml/SetupWizard/Login.qml:206 ColorImage is not a type pkg=frontend/bridge-gui reportID: 00000000000000000000000000000000 Captured exception :Could not load QML component Details: qrc:/qml/Bridge.qml:43 Type Notifications unavailable qrc:/qml/Notifications/Notifications.qml:419 Type MainWindow unavailable qrc:/qml/MainWindow.qml:174 Type SetupWizard unavailable qrc:/qml/SetupWizard/SetupWizard.qml:242 Type Login unavailable qrc:/qml/SetupWizard/Login.qml:206 ColorImage is not a type ``` It runs as expected with `Qt 6.7`. ## Expected Behavior ProtonMail Bridge to start and run properly with `Qt 6.8`. ## Current Behavior ProtonMail Bridge fails to start with `Qt 6.8` ## Possible Solution I unfortunately don't have a possible solution to provide, but given that ProtonMail Bridge runs properly with `Qt 6.7`, this is most likely a compatibility issue with `Qt 6.8` (e.g. usage of Qt instruction(s) that got modified or deprecated in `Qt 6.8`). ## Steps to Reproduce 1. Install ProtonMail Bridge on a system running `Qt 6.8` (e.g. from Arch Linux: `pacman -S protonmail-bridge`) 2. Start it (e.g. by running `protonmail-bridge` from the terminal) 3. See the above errors ## Version Information v3.14.0

clockwork · October 29, 2024, 1:01am

Does this affect the applications or just bridge?

zestygrass · October 29, 2024, 2:29am

Uncertain if an EOL 18 months old QT is vulnerable enough to merit stop using proton-bridge until it has up-to-date QT. Regardless, this is just disappointing to see from Proton.

I have often brushed off their half-baked, inconsistent features between platforms as, them being a small team that can’t do everything at once. Keeping up with dependencies is pretty simple with Github and bots, let a bot make PR’s, review and update.

At bare minimum they should use LTS release of QT to get security updates if features are not needed.
This type of security negligence is how software become vulnerable for exploitation.

zestygrass · November 13, 2024, 10:44am

Update: Proton Mail Bridge can now run on QT 6.8 in version 3.15.0

Topic		Replies	Views
Proton VPN is transitioning to offering IPv6 support. Available now on Linux! Privacy software	0	210	October 5, 2024
ProtonVPN removed Secure Core from Linux GUI Privacy	10	1369	November 9, 2023
Proton Mail Android 4.0 has a new repo + still relies on FCM for push notifications Site Development completed	19	691	October 30, 2024
WireGuard configuration for Proton's Stealth protocol? Questions	2	148	October 12, 2024
Proton Pass to use SL alias policy when downgrading subscription Privacy software	2	542	December 10, 2024

ProtonBridge bundles vulnerable, EOL Qt versions, doesn't work with current versions

Related topics