From 135720bd2f35a0bf40af1f6b6c51158a0f3dad9a Mon Sep 17 00:00:00 2001 From: Naveen Date: Tue, 3 Oct 2023 20:52:40 +0530 Subject: [PATCH 1/3] Update webp library Fixes known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://github.com/SimpleMobileTools/Simple-Gallery/issues/2990 --- gradle/libs.versions.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 579490b55..1de8299fc 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -21,8 +21,8 @@ androidGifDrawable = "1.2.25" androidImageCropper = "4.5.0" apng = "2.25.0" awebp = "2.25.0" -glideCompiler = "4.15.1" -zjupureWebpdecoder = "2.3.4.15.1" +glideCompiler = "4.16.0" +zjupureWebpdecoder = "2.6.4.16.0" gestureviews = "a8e8fa8d27" androidsvgAar = "1.4" imagefilters = "1.0.7" From fc742a223eb4dedbefbdcf50d69903ff2d8b6af2 Mon Sep 17 00:00:00 2001 From: Naveen Date: Tue, 3 Oct 2023 21:21:50 +0530 Subject: [PATCH 2/3] Disable system decoder --- .../com/simplemobiletools/gallery/pro/extensions/Context.kt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/src/main/kotlin/com/simplemobiletools/gallery/pro/extensions/Context.kt b/app/src/main/kotlin/com/simplemobiletools/gallery/pro/extensions/Context.kt index d8232a83e..2ef92ecfc 100644 --- a/app/src/main/kotlin/com/simplemobiletools/gallery/pro/extensions/Context.kt +++ b/app/src/main/kotlin/com/simplemobiletools/gallery/pro/extensions/Context.kt @@ -15,6 +15,8 @@ import android.provider.MediaStore.Images import android.widget.ImageView import com.bumptech.glide.Glide import com.bumptech.glide.Priority +import com.bumptech.glide.integration.webp.WebpBitmapFactory +import com.bumptech.glide.integration.webp.decoder.WebpDownsampler import com.bumptech.glide.integration.webp.decoder.WebpDrawable import com.bumptech.glide.integration.webp.decoder.WebpDrawableTransformation import com.bumptech.glide.load.DataSource @@ -539,9 +541,11 @@ fun Context.loadImageBase( options.optionalTransform(WebpDrawable::class.java, MultiTransformation(WebpDrawableTransformation(CenterCrop()), WebpDrawableTransformation(roundedCornersTransform))) } + WebpBitmapFactory.sUseSystemDecoder = false // CVE-2023-4863 var builder = Glide.with(applicationContext) .load(path) .apply(options) + .set(WebpDownsampler.USE_SYSTEM_DECODER, false) // CVE-2023-4863 .transition(DrawableTransitionOptions.withCrossFade(crossFadeDuration)) if (tryLoadingWithPicasso) { From 1db346bc0b43437ac1cf850139d35b859391f718 Mon Sep 17 00:00:00 2001 From: Naveen Date: Tue, 3 Oct 2023 21:25:30 +0530 Subject: [PATCH 3/3] Update apng, awebp library --- gradle/libs.versions.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 1de8299fc..e9fc03656 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -19,8 +19,8 @@ gradlePlugins-agp = "7.4.0" #Other androidGifDrawable = "1.2.25" androidImageCropper = "4.5.0" -apng = "2.25.0" -awebp = "2.25.0" +apng = "2.28.0" +awebp = "2.28.0" glideCompiler = "4.16.0" zjupureWebpdecoder = "2.6.4.16.0" gestureviews = "a8e8fa8d27"