CVE-2023-4863: track down apps with the WebP vuln and respond
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
A quick scan based on .so files in the APK with webp in the same gives:
-
https://f-droid.org/packages/cc.narumi.chaldea.fdroid - dart? -
https://f-droid.org/packages/chat.fluffy.fluffychat - dart? -
https://f-droid.org/packages/com.abhinavmarwaha.wrotto - dart? -
https://f-droid.org/packages/com.adilhanney.saber - dart? -
https://f-droid.org/packages/com.alovoa.expo - Use fresco via expo-image-loader in 1.4.1 and older versions. -
https://f-droid.org/packages/com.amaze.fileutilities - Use libwebp via opencv, https://github.com/TeamAmaze/AmazeFileUtilities/issues/130 -
https://f-droid.org/packages/com.calcitem.sanmill - dart? -
https://f-droid.org/packages/com.carriez.flutter_hbb - dart? -
https://f-droid.org/packages/com.czy0729.bangumi - Use libwebp via fresco, not affected -
https://f-droid.org/packages/com.ensoft.imgurviewer - Use fresco which only use libwepb on Android 4.2 and lower versions -
https://f-droid.org/packages/com.foobnix.pro.pdf.reader - fixed in 8.9.46, added af -
https://f-droid.org/packages/com.formfun - Only take photos. Won't be affected. -
https://f-droid.org/packages/com.fr.laboussole.track - Use libwebp via fresco, so not affected -
https://f-droid.org/packages/com.github.andremiras.qrscan - Only take photos. Won't be affected. -
https://f-droid.org/packages/com.github.andremiras.zbarcamdemo - Only take photos. Won't be affected. -
https://f-droid.org/packages/com.github.andreyasadchy.xtra - 4ac0780a -
https://f-droid.org/packages/com.github.linwoodcloud.dev_doctor - dart? -
https://f-droid.org/packages/com.gitlab.uak.mobile_paper_wallet - No permission. Not affected. -
https://f-droid.org/packages/com.glitterware.passy - dart? -
https://f-droid.org/packages/com.hanntech.free2pass - dart? -
https://f-droid.org/packages/com.infomaniak.meet - Use libwebp via fresco via jitsi-meet-sdk, so not affected -
https://f-droid.org/packages/com.lun.chin.aicamera - Use libwebp via opencv, no upstream reaction -
https://f-droid.org/packages/com.pavelsof.wormhole - Doesn't read pictures. Not affected. -
https://f-droid.org/packages/com.perflyst.twire - upstream issue, fixed update is live -
https://f-droid.org/packages/com.samarthdesai.repeatme Dart? -
https://f-droid.org/packages/com.simondalvai.ball2box - fixed in 4.0.0 already, added af for older, will rebuild, removed afs -
https://f-droid.org/packages/com.simondalvai.pocketbroomball - fixed in 5.0.4 already, added af for older, will rebuild, removed afs -
https://f-droid.org/packages/com.simplemobiletools.gallery.pro - dep GlideWebpDecoder (lib was patched), upstream issue, also dep APNG4Android for animated webp upstream issue , updated, added af -
https://f-droid.org/packages/com.stonegate.tsacdop - dart? -
https://f-droid.org/packages/com.zfdang.zsmth_android - Use fresco which only use libwepb on Android 4.2 and lower versions -
https://f-droid.org/packages/csd.qtproject.minesweeper - Doesn't read external images. Not affected. -
https://f-droid.org/packages/de.akaflieg_freiburg.enroute - Already disabled. -
https://f-droid.org/packages/deckers.thibault.aves.libre - dart? -
https://f-droid.org/packages/de.jbservices.nc_passwords_app - dart? -
https://f-droid.org/packages/de.spiritcroc.riotx - Fixed in sc_v1.6.5.sc72, upstream issue, added af -
https://f-droid.org/packages/dev.linwood.butterfly - dart? -
https://f-droid.org/packages/dev.linwood.butterfly.nightly - dart? -
https://f-droid.org/packages/de.wger.flutter - dart? -
https://f-droid.org/packages/es.ideotec.wdnotes - dart? -
https://f-droid.org/packages/eu.bauerj.paperless_app - dart? -
https://f-droid.org/packages/eu.hydrologis.smash - dart? -
https://f-droid.org/packages/eu.kanade.tachiyomi - Libwebp updated, no release yet. -
https://f-droid.org/packages/ie.equalit.ceno - pinged upstream censorship-no/ceno-browser#105, fixed in 6c59f607 -
https://f-droid.org/packages/in.p1x.tanks_of_freedom - Godot 2, no longer actively developed, no permission, not affected -
https://f-droid.org/packages/io.davidar.tensor - dart? -
https://f-droid.org/packages/io.ente.photos.fdroid - dart? -
https://f-droid.org/packages/io.github.alketii.mightyknight - Godot 2, no permission, not affected -
https://f-droid.org/packages/io.githubfede0d.planetrider - Godot 2, no permission, not affected -
https://f-droid.org/packages/io.github.freewatermark.mobileapp - dart? -
https://f-droid.org/packages/io.github.kobuge.games.minilens - Godot 2, no permission, not affected -
https://f-droid.org/packages/io.librehealth.toolkit.cost_of_care - dart? -
https://f-droid.org/packages/ir.hsn6.defendo - Godot 2, no permission, not affected -
https://f-droid.org/packages/ir.hsn6.k2 - Godot 2, no permission, not affected -
https://f-droid.org/packages/ir.hsn6.tpb - Godot 3.2.3, no permission, not affected -
https://f-droid.org/packages/ir.hsn6.trans - Godot 2, no permission, not affected -
https://f-droid.org/packages/ir.hsn6.turo - Godot 2, no permission, not affected -
https://f-droid.org/packages/me.austinhuang.instagrabber - Use libwebp via fresco, so not affected -
https://f-droid.org/packages/me.kavishhukmani.watwitchstickers - Use libwebp via fresco, so not affected -
https://f-droid.org/packages/nekox.messenger - Fixed in 3c060843 -
https://f-droid.org/packages/net.gcompris.full Only read trusted images -
https://f-droid.org/packages/nl.moeilijkedingen.jellyfinaudioplayer - Use libwebp via react-native-skia, reported -
https://f-droid.org/packages/org.cimbar.camerafilecopy - Only takes photos, not affected -
https://f-droid.org/packages/org.dash.electrum.electrum_dash - Use libwebp via pillow but only read images from camera so not affected. -
https://f-droid.org/packages/org.develz.crawl - No permission, not affected -
https://f-droid.org/packages/org.documentfoundation.libreoffice - !13777 (merged) -
https://f-droid.org/packages/org.forkgram.messenger - Fixed in 9.9.2.0. -
https://f-droid.org/packages/org.godotengine.editor.v3 - 3.5.3 was released with updated webp, added version, added AF for older -
https://f-droid.org/packages/org.godotengine.editor.v4 - updated and added af -
https://f-droid.org/packages/org.jschwab.openrecipes - upstream issue, no upstream reaction -
https://f-droid.org/packages/org.koreader.launcher.fdroid - Libwebp updated in 2023.10 -
https://f-droid.org/packages/org.krita - Libwebp updated, can't build the new version yet. -
https://f-droid.org/packages/org.lufebe16.lbalance - Use libwebp via kivy, no permission, not affected -
https://f-droid.org/packages/org.lufebe16.pysolfc - Use libwebp via kivy, doesn't read images, not affected -
https://f-droid.org/packages/org.mozilla.fennec_fdroid - fixed in 117.1.0, added af -
https://f-droid.org/packages/org.pipoypipagames.cowsrevenge - Godot 2, no permission, not affected -
https://f-droid.org/packages/org.pipoypipagames.towerjumper - Godot 2, no permission, not affected -
https://f-droid.org/packages/org.retroshare.android.qml_app - Use libwebp via qt. Not maintained so archive directly. !13841 (merged) -
https://f-droid.org/packages/org.revengate.revengate - Godot v4 engine pinged upstream, no permission, not affected -
https://f-droid.org/packages/org.sajeg.fallingblocks - Godot v3, updated, added af -
https://f-droid.org/packages/org.telegram.messenger - Fixed in 3c060843, upstream issue -
https://f-droid.org/packages/org.tuxpaint - No permission, not affected -
https://f-droid.org/packages/priv.wh201906.serialtest Doesn't read images, not affected -
https://f-droid.org/packages/pro.oblivioncoding.fluffy_board - dart? -
https://f-droid.org/packages/rocks.mucke - dart? -
https://f-droid.org/packages/software.mdev.bookstracker - dart? -
https://f-droid.org/packages/us.spotco.fennec_dos - fixed in 117.1.0, added af
Here's my quick check script:
for f in *.apk; do
(unzip -l $f | grep -Eoi '\S+/\S*webp\S*\.so') && echo "^^ has webp: $f"
donePossible actions:
- Ping upstream to update
- Add patch to metadata to patch libwebp
- Archive affected APKs
- Tag with
KnownVuln
Edited by Licaon_Kter