[Replicant] Proprietary blob found in all Replicant 6.0 builds
belgin
belginstirbu at hotmail.com
Tue Dec 1 06:12:40 UTC 2020
Hello!
> The issue with packages/apps/Messaging is that we have 3 CVE if we
> revert to 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74:
> > $ git log \
> > 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74..replicant-6.0-0004-rc3
> > | \ grep -i CVE
> > CVE-2017-0780
> > CVE-2017-0494
> > CVE-2017-0476
These CVEs can be patched as follows:
First, cd into packages/apps/Messaging
For CVE-2017-0780
git format-patch -1 20f6e4dc2fdadcf88cb8b48276169da47a913f9f
git apply 0001-37742976-Catch-bad-gifs.patch
For CVE-2017-0494
git format-patch -1 78cb8b00ee024cfdf383912695e30d9c2cb64f7d
git apply \
0001-32764144-Security-Vulnerability-heap-buffer-overflow.patch
For CVE-2017-0476
git format-patch -1 62371f2e4bfe3d54f2b79fe55bbb423642a235d2
git apply \
0001-33388925-Mismatched-new-vs-delete-in-framesequence-l.patch
They all seem to be related to gif processing.
Since this gif library seems to be so buggy, we could even consider
removing gifs in the messaging app in the future, just to be safe.
Thanks,
Belgin
More information about the Replicant
mailing list