this post was submitted on 25 Oct 2024
211 points (99.5% liked)

F-Droid

8080 readers
1 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
fossdd@lemmy.ml
testman@lemmy.ml
211
"We found a vulnerability..." (lemmy.sdf.org)
submitted 6 days ago by 52fighters@lemmy.sdf.org to c/fdroid@lemmy.ml
58 comments fedilink hide all child comments
 

Can I get more info on why these are showing up? I've never seen such a thing on F-Droid before.

top 50 comments
sorted by: hot top controversial new old
[–] Kajika@lemmy.ml 32 points 5 days ago* (last edited 5 days ago)

The current version has a critical security vulnerability (https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/) but to fix it the new version compiled against libclang version 27 but Google decided to remove it from Android so the building pipeline needs to be adjusted.

There's a long discussion: https://gitlab.com/relan/fennecbuild/-/merge_requests/63 , about building the newer version

In the meanwhile the app is a security hazard.

[–] FutileRecipe@lemmy.world 66 points 6 days ago* (last edited 6 days ago) (1 children)

Fennec and Mull 129.0.2 in F-Droid.org repository have 42 known security issues

Ref: https://forum.f-droid.org/t/fennec-vulnerability-recommended-to-uninstall/

[–] SatyrSack@feddit.org 11 points 6 days ago (1 children)

The issue preventing updates should be resolved soon thanks to @linsui fixing it!

What is wrong with updating?

[–] WhyJiffie@sh.itjust.works 21 points 6 days ago (1 children)

it was mentioned in a This Week In F-droid blog post around September. basically google fucked up an important development library, and any firefox forks (possibly some other apps too) could not be built anymore normally. of course google was unwilling to fix the issue, so linsui (and F-droid member) fixed the build process somehow, possibly temporarily.

you may ask how is this not a problem for the official release of the firefox app, and my answer is that they probably build this component for themselves, and fixed the problem in house (if they had it at all)

[–] SatyrSack@feddit.org 4 points 6 days ago (1 children)

Right, but that comment that I quoted from the F-Droid forum makes it sound like there is some sort of issue updating to a build with the vulnerability patched. My Mull is on 131.0.3, and I do not remember having an issue updating it.

[–] N4CHEM@lemmy.ml 12 points 6 days ago

You're probably getting your Mull updates via the DivestOS repository, not the official F-Droid repository.

[–] N4CHEM@lemmy.ml 44 points 6 days ago* (last edited 6 days ago)

There was a critical vulnerability found on Firefox some days ago: CVE-2024-9680. Fennec and Mull are forks of Firefox. They both fixed this issue already in their source code, BUT there is a problem preventing F-Droid from building these updated, fixed versions.

In the case of Mull, you can download the updated version from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/, but if you are currently using the F-Droid version you will need to uninstall it first, since they have different signatures.

[–] mac@lemm.ee 23 points 5 days ago* (last edited 5 days ago)

There should really be push notifications around installed apps with known vulns... Its tracked here: https://forum.f-droid.org/t/vulnerability-warnings-in-f-droid-app/20505

Could someone with a gitlab account open a feature request on the f droid repo?

I tried to open an account but it required email + cell phone (it picked up my VoIP number) and a credit card....

EDIT: I generated an RSS feed based off of Mozilla's known vuln list. If anyone knows of a better way to do this, please let me know!

[–] Quintus@lemmy.ml 19 points 6 days ago (2 children)

Are these two from the same maintainer? If not, considering that they both use Firefox Android as their base, does this mean there is a vulnerability in Firefox Android?

[–] Piwix@lemm.ee 32 points 6 days ago (1 children)

There was and it was fixed by the looks of it. Guessing these apps have not urgently pulled the fixes in and released an update, so F-droid is urging people not to use the apps until so

[–] WhyJiffie@sh.itjust.works 10 points 6 days ago

they pulled the fixes, but couldn't build because google fucked up the NDK. my other comment has more details

[–] kitnaht@lemmy.world 21 points 6 days ago* (last edited 6 days ago) (1 children)

Yes, there was a remote code execution vulnerability in the CSS engine of firefox a little while ago. If you're on desktop version 131 or lower, update to 131.0.3 when possible. I don't know how the versioning works for the Android versions here...

[–] Redjard@lemmy.dbzer0.com 11 points 6 days ago (1 children)

173? What happened to firefox versions? We just started the 130s

[–] kitnaht@lemmy.world 13 points 6 days ago* (last edited 6 days ago) (1 children)

shit, woops. I've got memory issues, my bad. Let me fix that rq. Thanks for catching it.

https://nvd.nist.gov/vuln/detail/CVE-2024-9680

[–] Redjard@lemmy.dbzer0.com 9 points 6 days ago

Yeah that seems about right.

I don't know how the versioning works for the Android versions here...

Android has the same versions as desktop here, which is why there is no differentiation. The main chunk of firefox is platform independent (and even used in thunderbird too).

So any firefox android app and fork thereof needs that version 131.0.3+ too (unless it is esr which is 128 currently).

[–] DishonestBirb@lemmy.world 9 points 5 days ago* (last edited 5 days ago) (5 children)

Uninstalling my primary browser isn't really a practical solution, what am I supposed to use, Chrome? How about fixing the version they're shipping? Or should I be looking somewhere other than F-Droid for Android Firefox?

[–] cyberwolfie@lemmy.ml 11 points 5 days ago* (last edited 5 days ago) (1 children)

I changed to the Divest-repo for Mull, and they have an updated version that has fixed these security issues.

ETA: Different signing keys though, so you can't just update it, but have to reinstall.

[–] Moah@lemmy.blahaj.zone 2 points 5 days ago (1 children)

How do you do that?

[–] cyberwolfie@lemmy.ml 4 points 5 days ago (1 children)

You add https://divestos.org/apks/official/fdroid/repo/ as a repo in F-Droid settings. After that you can choose which repo to prefer for Mull.

[–] Moah@lemmy.blahaj.zone 2 points 5 days ago

Thank you

[–] kazaika@lemmy.world 10 points 5 days ago (1 children)

Theyre the distributor, the dont fix apps and its not their job to do so. Getting the same app from a different source wont change anything

[–] Swedneck@discuss.tchncs.de 4 points 5 days ago (3 children)

huh? no one's asking them to fix firefox, we're asking that they just ship the latest version.

the warning states that several vulnerabilities have been fixed since firefox version 130, f-droid's latest version of the package is 129: that very much makes it sound like the problem is wholly caused by f-droid not making version 130 available.

[–] AlpacaChariot@lemmy.world 6 points 5 days ago

To ship it they have to work out how to build that version themselves from source though - that's their whole thing. It's not like a normal app store where they take pre-built binaries from the developer.

[–] kazaika@lemmy.world 2 points 5 days ago

Well ok if thats the case you are completely right, as long as there isnt some kind of issue and others have already updated the package pushing security fixes asap is indeod important

load more comments (1 replies)
[–] abbenm@lemmy.ml 1 points 4 days ago

Or should I be looking somewhere other than F-Droid for Android Firefox?

FFUpdater, on F-Droid, manages updates for Firefox and other browsers. I counted nine variations of Firefox or forks of Firefox. As well as eight variations of Chromium based browsers that aren't Chrome. So that's 17 options.

[–] ace_garp@lemmy.world 2 points 5 days ago

Iceraven is a Mozilla based standin.

Can install FFUpdater here:

https://f-droid.org/packages/de.marmaro.krt.ffupdater/

and then select it from there.

[–] victorz@lemmy.world 2 points 5 days ago (1 children)

I just install Firefox from the Play Store. 🤷‍♂️ Is that bad?

[–] ma1w4re@lemm.ee 13 points 6 days ago

For more frequent mull updates you can use DivestOS Official repo

[–] orcrist@lemm.ee 8 points 6 days ago (2 children)

What would people recommend in the short run as an alternative?

[–] N4CHEM@lemmy.ml 18 points 6 days ago* (last edited 6 days ago)

You can download an updated version of Mull with the security vulnerability fixed, from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/. If you currently have the F-Droid version of Mull installed you will need to uninstall it first.

[–] 3dogsinatrenchcoat@slrpnk.net 9 points 6 days ago

You can get the updated mull from the divestos repo, the issue is fixed there

[–] GolfNovemberUniform@lemmy.ml 6 points 6 days ago (2 children)

It doesn't say anything like that in Droid-ify. I don't remember any recent reports of vulnerabilities either.

[–] everett@lemmy.ml 24 points 6 days ago (1 children)

Sounds like Droidify is missing F-Droid features. More info on the web.

load more comments (1 replies)
[–] merde@sh.itjust.works 4 points 6 days ago

if you activated divestOS repos on droid-ify than you probably have the fixed update

[–] granolabar@kbin.melroy.org 2 points 6 days ago (1 children)

We at least it got pulled

[–] possiblylinux127@lemmy.zip 1 points 5 days ago

It us still there

load more comments
view more: next ›