Documenting known vulnerabilities:

fdroiddata
website

#1

Many applications are labelled “This app contains a known security vulnerability”. But could not find what exactly the vulnerability is.
It will be useful to decide whether to use the app if a link / short description of the vulnerability are added.


#2

Which ones, are these in the main repo?


#3

not sure whether this is meant: If you clone https://gitlab.com/fdroid/fdroiddata and then do

grep -r KnownVuln .

you get

./metadata/com.artifex.mupdf.mini.txt:AntiFeatures:KnownVuln
./metadata/com.artifex.mupdfdemo.txt:AntiFeatures:KnownVuln
./stats/antifeatures.txt:KnownVuln 2


#4

https://f-droid.org/wiki/page/com.artifex.mupdf.mini plenty of info

https://f-droid.org/wiki/page/com.artifex.mupdfdemo same

./stats/antifeatures.txt:KnownVuln NOT an app


#5

MuPDF has CVE associated with it. But what about others?
Most of the apps with knownvuln also have disabledAlgorithm. There is know way to know whether DisabledAlgorithm is only only KnownVuln.


#6

Which others? These are all: https://f-droid.org/wiki/page/AntiFeatures (it’s updated on every index update)


#7

Most of these apps have been moved to the archive tbh, so they won’t show up on the website.


#8

Ideally, we’d have better docs for this. I think it wouldn’t be too hard to implement an improved system. For CVEs, it would be great to be able to tag APKs with KnownVuln and a link to the CVE, for example.


#9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.