Fdroid (Neo Store): The app has known security vulnerabilities

[pacjo]

Today I got a notification from fdroid saying librera has a security vulnerabilities.

Device / app info

App version: 8.8.40-fdroid OS: SparkOS 13.5 (A13), security patch: 5 February 2023 Fdroid: Neo Store (com.machiav3lli.fdroid) 0.9.15

Screenshots

Neo Store: Notification (from notification history):

[Krishancs]

Also in Droid-ify, Anti-features - Has security vulnerabilities.

[d4f5409d]

For me the F-Droid app recommended to immediately remove the application from my phone.

[ghost]

For me too, does someone know the vulnerability?

[brenard]

Same problem here : no information about the vulnerability in Neo Store.

[pacjo]

Ok, the official fdroid website has some more information:

main: https://f-droid.org/en/packages/com.foobnix.pro.pdf.reader/ affected apps: https://monitor.f-droid.org/anti-feature/KnownVuln detailed info: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.foobnix.pro.pdf.reader.yml related commit: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496

it looks like the issue is with MuPDF 1.11 component.

from here:

* KnownVuln: MuPDF 1.11 noted at below link
* https://github.com/foobnix/LibreraReader/blob/8.8.5/app/src/main/java/com/foobnix/pdf/info/AppsConfig.java#L30
* app includes both MuPDF 1.11 as the default for legacy Android 4.0 compatibility
* https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496

[mkalinski]

But that issue was known since December. There were several releases of Librera on Fdroid in the meantime.

It's weird that Fdroid started blaring all the sirens only today, especially since #1030 was closed with what looked like an agreement on how to resolve the security issue that Fdroid were concerned about.

That made me think it's something different, but I can't find any trace of what it could be, aside from the old MuPDF 1.11 threads (FWIW, the library is still there in the current Fdroid release).

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

so which is the vulneeability

[smichel17]

@fusionneur https://github.com/foobnix/LibreraReader/issues/1030#issuecomment-1382881838

[Vinfall]

For those who are on Android 4+ (I guess everyone does), there is a temporary solution copied from #1030:

Click the hamburger menu in the top left hand corner, scroll down to Engine and select MuPDF_1.21.1.

MuPDF_1.11 is the vulnerable version, which could allow denial of service & arbitrary code execution according to Arch Linux security tracker. You can find the detailed information about CVEs here.

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

For those who are on Android 4+ (I guess everyone does), there is a temporary solution copied from #1030:

Click the hamburger menu in the top left hand corner, scroll down to Engine and select MuPDF_1.21.1.

MuPDF_1.11 is the vulnerable version, which could allow denial of service & arbitrary code execution according to Arch Linux security tracker. You can find the detailed information about CVEs here.

was already selected for me. so i suppose i'm good. thank you

[montchr]

1.21 was also pre-selected for me on a fresh re-install.

Is there a particular reason the older vulnerable library is still included? I would think removing it as an option would prevent the app from getting flagged by F-Droid.

[tomkel]

https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.foobnix.pro.pdf.reader.yml

[licaon-kter]

Or you could ya'know... reach to F-Droid contributors and ask? :)

There's an issue in fdroidserver for apps that had knownvuln applied per version, and this affects Librera now by flagging it erroneously.

ref: https://gitlab.com/fdroid/fdroidserver/-/issues/1103

[RoestVrijStaal]

To be honest, I dislike the way F-Droid et al are crying wolf by marking Librera Reader as having security vulnerabilities.

While it's just 1 security vulnerability, and requires minimal effort from the user to mitigate.

It's also strange that the notification lacks link(s) to proof about that 1 security vulnerability. Why do we have to search on the Internet to figure out what's going on?

I won't be surprised when foobnix DMCAs F-Droid et al for this smear campaign 😏

[licaon-kter]

Vulnerabilities are hard to prove one way or the other.

Read the corresponding MR that added that, you can see that no one was in a hurry to smear anyone (took 6 months to be merged and many apps were not flagged in the end as they got fixed) and why all these apps were flagged: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496

As usual you are free to prove that those versions of mupdf are not affected and F-Droid would remove that info, as expected.

/LE: note that it is not the fault of the app, but of the libs used, the devs are free to drop the problematic mupdf.

/LE: latest Client 1.16.x misses the "Ignore" action in the Update screen like 1.15.x had, it's a known issue not an intentional thing :shrug:

[montchr]

Yeah at first I uninstalled the app, but reinstalled after reading the thread here. But now F-Droid keeps sending urgent notifications every few hours.

/LE: latest Client 1.16.x misses the "Ignore" action in the Update screen like 1.15.x had, it's a known issue not an intentional thing

FWIW I've been using NeoStore which still includes this option. But I guess the notifications would still come from the F-Droid app regardless.

If there was a working "ignore" toggle, it'd be easy enough to select the option to ignore reports of security vulnerabilities per app, but, well, that sounds like something that would be easy to forget about AND leave the door open for actual issues to sneak in without user knowledge.

[gbakeman]

For anyone with Neo Store, it is possible to mute the warnings for this app specifically:

These warnings exist for good reasons. I think what we're seeing are some overzealous store apps that can maybe be tuned for how they notify us and handle snoozing or ignores. Definitely could also do with some additional information, like a hyperlink to a bug report. I'd also suggest we search out or even create issues for these specific points at the appropriate repositories.

In the meantime, we'll just have to wait for a PR here to drop the older mupdf lib (any details on why it's still there in the first place?)

[licaon-kter]

@montchr how often you've setup repo refresh?

[RoestVrijStaal]

@licaon-kter

Vulnerabilities are hard to prove one way or the other.

Putting a link to a CVE in an notification is NOT rocket science.

[licaon-kter]

We've got the hate above for a small text in Updates tab, you wanna cram this list where exactly? https://www.cvedetails.com/vulnerability-list/vendor_id-10846/product_id-20840/Artifex-Mupdf.html :)

[licaon-kter]

fyi: https://gitlab.com/fdroid/fdroiddata/-/commit/ec720553458410bfc79bf0ec4738464f325ee001

[tomkel]

1.21 was also pre-selected for me on a fresh re-install.

Is there a particular reason the older vulnerable library is still included? I would think removing it as an option would prevent the app from getting flagged by F-Droid.

Regardless of what is or will be changed in the fdroid yml, this app is technically still exploitable by toggling to the older mupdf renderer, so I agree that the old mupdf lib should still be removed.

[Vinfall]

Hi guys, I'd suggest checking #1030 and reading all the comments first before raising questions.

In case you missed it, the old (vulnerable) lib is kept for backward-compatibility. A possible solution (two variants like Librera Reader & Librera Reader Legacy) is brought up in https://github.com/foobnix/LibreraReader/issues/1030#issuecomment-1341039519 as well.

Specifically for this issue per se, it is caused (directly) by a bug in fdroidserver. And with this commit Licaon_Kter mentioned, it should no longer trigger a warning about the security issue in next F-Droid repo build.

[gbakeman]

Thanks for the info @Vinfall

I don't want to duplicate discussion and apologize if this is the wrong place, but between that issue and the mupdf changelog, I can't see what's so important to maintain compatibility with? It looks like only a few old decoders are dropped, but they didn't seem that important.

[foobnix]

Can someone please explain how the vulnerability can affect the user's device if the application doesn't have internet access, Librera F-Droid version is an offline application.

I am making mupdf 1.21.1 default engine so 1.11 will be removed soon in all apps.

[licaon-kter]

Direct Internet access does not mean an app can't exfiltrate data if it wants to, it can for eg. Open a link in your browser or write some data for some other app to pickup or etc

The issue in general is that a remote attacker can/could trigger some actions on your device while you just "view" a weaponized .PDF

[vertigo220]

For those who are on Android 4+ (I guess everyone does), there is a temporary solution copied from #1030:

Click the hamburger menu in the top left hand corner, scroll down to Engine and select MuPDF_1.21.1.

MuPDF_1.11 is the vulnerable version, which could allow denial of service & arbitrary code execution according to Arch Linux security tracker. You can find the detailed information about CVEs here.

In both the F-Droid and Play Store versions, there is nothing showing next to "Engine." It's blank, and I can neither select the engine nor even see which version is enabled. I assume it's a later version (1.21+), but I'd rather not make assumptions regarding potential security issues, and if it's actually running a vulnerable version, I'd like to know. Does anyone know why it's blank and how to tell which version is active?

[d4f5409d]

For those who are on Android 4+ (I guess everyone does), there is a temporary solution copied from #1030:

Click the hamburger menu in the top left hand corner, scroll down to Engine and select MuPDF_1.21.1.

MuPDF_1.11 is the vulnerable version, which could allow denial of service & arbitrary code execution according to Arch Linux security tracker. You can find the detailed information about CVEs here.

In both the F-Droid and Play Store versions, there is nothing showing next to "Engine." It's blank, and I can neither select the engine nor even see which version is enabled. I assume it's a later version (1.21+), but I'd rather not make assumptions regarding potential security issues, and if it's actually running a vulnerable version, I'd like to know. Does anyone know why it's blank and how to tell which version is active?

It has been already patched, the vulnerable library has gotten removed, that's why it's blank. Because you can only use the engine that's not vulnerable.

[foobnix]

It's possible to change the rendering engine only in the PRO version from google play or here https://github.com/foobnix/LibreraReader/releases/

[vertigo220]

It's possible to change the rendering engine only in the PRO version from google play or here https://github.com/foobnix/LibreraReader/releases/

But then the question is, if you can't change it on non-pro and can on pro, is it set to the lower version on both and you can only change to the higher version on pro or, more likely and what I would expect, the opposite?