F-Droid: Known Vulnerability

SimpleMobileTools / Simple-File-Manager

Easy app for managing your files without ads, respecting your privacy & security

https://www.simplemobiletools.com

GNU General Public License v3.0

1.51k stars 385 forks source link

F-Droid: Known Vulnerability #656

Closed imsi32 closed 1 year ago

imsi32 commented 1 year ago

It seems like F-Droid found a vulnerability in v6.14.3. I don't know what it is but you can look at this links that shows Simple File Manager has known vulnerability: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.simplemobiletools.filemanager.pro.yml

https://monitor.f-droid.org/anti-feature/KnownVuln

Ilav1 commented 1 year ago

I also got a message by F-Droid to uninstall simple file manager because of vulnerability

Screenshot_20221205_141542_org fdroid fdroid_1

tibbi commented 1 year ago

theres no vulnerability, guess some monitoring apps dont like the root access

wtrh commented 1 year ago

This seems to be due to the fact that vulnerability information is registered in the F-Droid repository.

I haven't looked into it in detail, but from the last commit to the build metadata (https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7#09f81f62688f23c16756b691f24d11685e9f3694), it seems to be related to https://github.com/SimpleMobileTools/Simple-File-Manager/issues/619.

Focshole commented 1 year ago

This seems to be due to the fact that vulnerability information is registered in the F-Droid repository.

I haven't looked into it in detail, but from the last commit to the build metadata (https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7#09f81f62688f23c16756b691f24d11685e9f3694), it seems to be related to #619.

It is definitely due to that library version which has some known vulnerabilities. As we can see in Known Vuln apps list, most of those applications reported are pdf related, as well on f-droid's Flag many apps with KnownVuln merge.

tibbi commented 1 year ago

duplicate of #619

voidplayer commented 1 year ago

Is this fixed? is it a false positive?

SSUPII commented 1 year ago

Is this fixed? is it a false positive?

This is a closed issue because it is a duplicate of issue id 619 (not going to mention it again).

GameOverFlowChart commented 1 year ago

theres no vulnerability, guess some monitoring apps dont like the root access

So there is a known vurnerability since Aug 2, and people are told that there is no vurnerability. Great.

voidplayer commented 1 year ago

Is this fixed? is it a false positive?

This is a closed issue because it is a duplicate of issue id 619 (not going to mention it again).

Sorry, i see the other issue is opened. I skimmed it and thought it was closed