Closed Wojtaz0w closed 11 months ago
I dont know, will see if f-droid reports some issues
Update to https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.4 or better yet https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.6 here I guess: https://github.com/SimpleMobileTools/Simple-Gallery/blob/6.28.0/gradle/libs.versions.toml#L25
I'm updating the recipe for the kotlin changes and I'd like to flag older versions with KnownVuln
but also have a fixed update for users to update to.
/LE: added links
All versions available in maven here: https://repo1.maven.org/maven2/com/github/zjupure/webpdecoder/
if f-droid reports some issues
Also, it's not a question of F-Droid flagging but of every developer enumerating their own deps and updating as needed :shrug:
Same for CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx is your img.ly (video) editor immune or patched ? Fixed lib: https://github.com/webmproject/libvpx/releases/tag/v1.13.1
Now I can just
- sed -i -e 's/zjupureWebpdecoder = "2.3.4.15.1"/zjupureWebpdecoder = "2.6.4.16.0"/'
../gradle/libs.versions.toml
but I'll need your @tibbi okay for this, before you get a chance to release a version with the fixed lib
Also, fyi since you use this lib for animated webp, https://github.com/penfeizhou/APNG4Android/issues/207
Now I can just
- sed -i -e 's/zjupureWebpdecoder = "2.3.4.15.1"/zjupureWebpdecoder = "2.6.4.16.0"/' ../gradle/libs.versions.toml
but I'll need your @tibbi okay for this, before you get a chance to release a version with the fixed lib
lets wait 1-2 days so that we can check the issue, if updating the library is enough for it or not. It shouldnt be as difficult to solve as the previous file manager vulnerability.
Updated without modifying anything: https://gitlab.com/fdroid/fdroiddata/-/commit/1c0819793bc88082f3a1916c637ed5b493da2764
Ping us when next version is ready if it fixes stuff
sure, but has been fixed in 6.28.1 already
Is Gallery Pro affected by CVE-2023-4863? Since it supports opening WebP them it would make sense. Also if it fixed in latest update let us know in changelog as this bug is critical.