[QUESTION] : libwebp vulnerabilty - Githubissues

SimpleMobileTools / Simple-Gallery

A premium app for managing and editing your photos, videos, GIFs without ads

https://www.simplemobiletools.com

GNU General Public License v3.0

3.6k stars 758 forks source link

[QUESTION] : libwebp vulnerabilty #2990

Closed Wojtaz0w closed 11 months ago

Wojtaz0w commented 11 months ago

Is Gallery Pro affected by CVE-2023-4863? Since it supports opening WebP them it would make sense. Also if it fixed in latest update let us know in changelog as this bug is critical.

tibbi commented 11 months ago

I dont know, will see if f-droid reports some issues

licaon-kter commented 11 months ago

Update to https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.4 or better yet https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.6 here I guess: https://github.com/SimpleMobileTools/Simple-Gallery/blob/6.28.0/gradle/libs.versions.toml#L25

I'm updating the recipe for the kotlin changes and I'd like to flag older versions with KnownVuln but also have a fixed update for users to update to.

/LE: added links

All versions available in maven here: https://repo1.maven.org/maven2/com/github/zjupure/webpdecoder/

licaon-kter commented 11 months ago

if f-droid reports some issues

Also, it's not a question of F-Droid flagging but of every developer enumerating their own deps and updating as needed :shrug:

Same for CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx is your img.ly (video) editor immune or patched ? Fixed lib: https://github.com/webmproject/libvpx/releases/tag/v1.13.1

licaon-kter commented 11 months ago

Now I can just

      - sed -i -e 's/zjupureWebpdecoder = "2.3.4.15.1"/zjupureWebpdecoder = "2.6.4.16.0"/'
        ../gradle/libs.versions.toml

but I'll need your @tibbi okay for this, before you get a chance to release a version with the fixed lib

licaon-kter commented 11 months ago

Also, fyi since you use this lib for animated webp, https://github.com/penfeizhou/APNG4Android/issues/207

tibbi commented 11 months ago

Now I can just
      - sed -i -e 's/zjupureWebpdecoder = "2.3.4.15.1"/zjupureWebpdecoder = "2.6.4.16.0"/'
        ../gradle/libs.versions.toml
but I'll need your @tibbi okay for this, before you get a chance to release a version with the fixed lib

lets wait 1-2 days so that we can check the issue, if updating the library is enough for it or not. It shouldnt be as difficult to solve as the previous file manager vulnerability.

licaon-kter commented 11 months ago

Updated without modifying anything: https://gitlab.com/fdroid/fdroiddata/-/commit/1c0819793bc88082f3a1916c637ed5b493da2764

Ping us when next version is ready if it fixes stuff

licaon-kter commented 11 months ago

fyi https://gitlab.com/fdroid/fdroiddata/-/commit/6bb11ec4c6b1d06a91b49ad61594e4581485fda5

tibbi commented 11 months ago

sure, but has been fixed in 6.28.1 already