[Replicant] Proprietary blob found in all Replicant 6.0 builds

belgin belginstirbu at hotmail.com
Tue Dec 1 06:12:40 UTC 2020


Hello!

> The issue with packages/apps/Messaging is that we have 3 CVE if we
> revert to 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74:
> > $ git log \
> >   0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74..replicant-6.0-0004-rc3
> > | \ grep -i CVE
> >     CVE-2017-0780
> >     CVE-2017-0494
> >     CVE-2017-0476

These CVEs can be patched as follows:

First, cd into packages/apps/Messaging

For CVE-2017-0780
	git format-patch -1 20f6e4dc2fdadcf88cb8b48276169da47a913f9f
	git apply 0001-37742976-Catch-bad-gifs.patch

For CVE-2017-0494
	git format-patch -1 78cb8b00ee024cfdf383912695e30d9c2cb64f7d
	git apply \
	0001-32764144-Security-Vulnerability-heap-buffer-overflow.patch

For CVE-2017-0476
	git format-patch -1 62371f2e4bfe3d54f2b79fe55bbb423642a235d2
	git apply \
	0001-33388925-Mismatched-new-vs-delete-in-framesequence-l.patch

They all seem to be related to gif processing.
Since this gif library seems to be so buggy, we could even consider
removing gifs in the messaging app in the future, just to be safe.

Thanks,
Belgin


More information about the Replicant mailing list