Google Android used to maintain a libgdx fork, and committed some security fixes in libgdx's bundled jpgd.cpp, which were seemingly not contributed back upstream either here or to libgdx. Godot also uses jpgd.cpp so is affected likewise.
Note that I cherry-picked these commits without modification, nor reviewing whether they do things the right way. I tested that second commit properly fixes the above linked PoC:
See https://github.com/godotengine/godot/issues/30952 and https://github.com/libgdx/libgdx/issues/5737 for context.
Google Android used to maintain a libgdx fork, and committed some security fixes in libgdx's bundled
jpgd.cpp
, which were seemingly not contributed back upstream either here or to libgdx. Godot also usesjpgd.cpp
so is affected likewise.I reviewed the Google Android libgdx codebase and cherry-picked the two commits related to
jpgd.cpp
: https://android.googlesource.com/platform/external/libgdx/+log/refs/heads/nougat-mr2.3-releaseThe second commit was apparently the fix (or one of the fixes?) for CVE-2017-0700. PoC: https://github.com/ele7enxxh/poc-exp/tree/master/CVE-2017-0700
Note that I cherry-picked these commits without modification, nor reviewing whether they do things the right way. I tested that second commit properly fixes the above linked PoC:
CC @richgel999 as I've noticed you don't "watch" your old repos imported from Google Code.