last updated: 2022/08/03

Preface:
- This is a list of dependencies and apps that may have known vulnerabilities
- These apps may not actually expose the vulnerable functionality
- These apps may have mechanisms in places to mitigate the vulnerable functionality
- The primary focus is F-Droid variants of the apps, upstream versions may not be impacted
- This is not meant to be treated as "perfectly correct" or any form of audit, just a cursory check

See something wrong? Open an issue or merge request:
- https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/misc/appsec.txt
- https://github.com/Divested-Mobile/DivestOS-Website/blob/master/misc/appsec.txt

Libraries:
- iText
	- Changelog: https://github.com/itext/itextpdf/releases
	- com.itextpdf:itextg:5.5.10 from 2016-10-07
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- Attestation de déplacement 3.7.0:
				- https://github.com/AdrienPoupa/AttestationDeplacement/blob/3.7.0/app/build.gradle#L42
				- https://github.com/AdrienPoupa/AttestationDeplacement/issues/131
			- PDF Converter 8.8.1:
				- https://github.com/Swati4star/Images-to-PDF/blob/8.8.1/app/build.gradle#L98
				- https://github.com/Swati4star/Images-to-PDF/issues/1083
			- PDF Creator 3.8:
				- https://github.com/scoute-dich/PDFCreator/blob/v3.8/app/build.gradle#L34
				- Repository archived, not reported
	- com.itextpdf:itextg:5.5.6 from 2015-05-08
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- ePUBator 0.12:
				- https://sourceforge.net/p/epubator/code/ci/master/tree/ePUBator/lib/
				- App hasn't been updated since 2015, not reported
- MuPDF
	- Changelog: https://mupdf.com/releases/history.html
	- CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-10846/product_id-20840/Artifex-Mupdf.html
	- MuPDF 1.16.1 from 2019-08-02
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- Orion Viewer 0.81.2:
				- https://github.com/max-kammerer/orion-viewer/commits/0.81.2_fdroid/nativeLibs/mupdfModule
				- https://github.com/max-kammerer/orion-viewer/issues/40
	- MuPDF 1.11 from 2017-04-11
		- Status: Has ~31 known security issues
		- Dependent Apps:
			- Document Viewer 2.8.2
				- https://github.com/SufficientlySecure/document-viewer/commits/v2.8.2/document-viewer/jni/mupdf
				- Note has 4 issues patched: https://github.com/SufficientlySecure/document-viewer/commit/0bfb13b1b65cc27145b4526a3c2564ecdb468674
				- https://github.com/SufficientlySecure/document-viewer/issues/277
	- Ancient versions (unmaintained and not reported):
		- APV PDF Viewer 0.4.0, https://github.com/mpietrzak/apv/tree/a6510d26791fdd94baecaaf346dfc821e76bd8da/pdfview/deps
		- PDF Reader 0.4.0, https://github.com/droidapps/pdfreader4Android/tree/0.4.0-patched/jni/mupdf/pdf
		- VuDroid 1.4
- PDF.js:
	- Changelog: https://github.com/mozilla/pdf.js/releases
	- PDF.js 1.5.188 from 2016-04-21
		- Status: Has ~1 known security issues
		- Dependent Apps:
			- CuprumPDF v1.3.0
				- https://github.com/paride/CopperPDF/blob/v1.3.0/app/src/main/assets/pdf.js#L31
				- Repository archived, not reported
- PDFBox
	- CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-33936/Apache-Pdfbox.html
	- com.tom-roush:pdfbox-android:2.0.1.0 using PDFBox 2.0.1 from 2016-04-22
		- Implementer Library: https://github.com/TomRoush/PdfBox-Android/releases
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- Green Pass PDF Wallet 2.3.1
				- https://github.com/michaeltroger/greenpass-android/blob/40/app/build.gradle#L99
				- https://github.com/michaeltroger/greenpass-android/issues/68
- PDFium
	- CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PDFium
	- com.github.barteksc:android-pdf-viewer:3.2.0 using PDFium@32b639d from 2016-01-14
		- Implementer Libraries:
			- https://github.com/barteksc/AndroidPdfViewer/blob/d243b39377f19c3eae41e227067da254ebbf731b/android-pdf-viewer/build.gradle#L41
			- https://github.com/barteksc/PdfiumAndroid/tree/pdfium-android-1.9.0
		- Status: Has ~55 known security issues
		- Dependency Changelog: https://pdfium.googlesource.com/pdfium/+log/32b639de35f905a5e5559f305d9032cde5ae5c77
		- Dependent Apps:
			- Pdf Viewer Plus 3.7
				- https://github.com/JavaCafe01/PdfViewer/blob/v3.7/app/build.gradle#L79
				- https://github.com/JavaCafe01/PdfViewer/issues/175
			- /e/OS PDF Viewer
				- https://gitlab.e.foundation/e/os/pdfviewer/-/blob/821386ac069f16393a8ccff0cc8fc3a4b22e85f7/app/build.gradle#L100
				- no account, not reported
			- Sav PDF Viewer Pro 1.9
				- https://github.com/Sav22999/sav-pdf-viewer-pro/blob/1.9/app/build.gradle#L54
				- https://github.com/Sav22999/sav-pdf-viewer-pro/issues/28
	- com.github.tibbi:AndroidPdfViewer:da57ff410e using PDFium@32b639d from 2016-01-14
		- Implementer Libraries:
			- https://github.com/tibbi/AndroidPdfViewer/blob/da57ff410e3fb7bba831f5c7816834f2ed2d638d/android-pdf-viewer/build.gradle#L13
			- https://github.com/DineroRegnskab/PdfiumAndroid/commits/pdfium-android-1.9.2
				- Report: Issues are disabled, not reported
		- Report: Issues are disabled, not reported
		- Note: prebuilts are unclear, may actually be based off of M90 from 2021-03 instead
		- Status: Has ~5 or ~55 known security issues depending on note above
		- Dependent Apps:
			- Simple File Manager Pro 6.13.0
				- https://github.com/SimpleMobileTools/Simple-File-Manager/blob/6.13.0/app/build.gradle#L68
				- pinged: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496/#note_1047350429
- WebRTC
	- Changelog:
		- https://groups.google.com/g/discuss-webrtc/search?q=psa%20release%20notes
		- https://webrtc.github.io/webrtc-org/release-notes/
	- CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chrom%20webrtc
	- org.webrtc:google-webrtc:1.0.32006 (M86) from 2020-08-27
		- Status: Has ~17 known security issues
		- Dependent Apps:
			- Conversations 2.10.2.1+fcr, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/eu.siacs.conversations.yml#L2087
			- Quicksy 2.10.2.1+fcr, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/im.quicksy.client.yml#L585
			- Snikket 2.10.2+fcr, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/org.snikket.android.yml#L65
			- CWeb 0.1.6+free, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.cweb.messenger.yml#L39
			- Monocles Chat 1.5.1, https://codeberg.org/Arne/monocles_chat/src/tag/v1.5.1/build.gradle#L51
			- Cheogram 2.10.6-1+free, https://git.singpolyma.net/cheogram-android/tree/2.10.6-1-fdroid/item/build.gradle#L106
	- org.webrtc:google-webrtc:1.0.30039 (M79) from 2019-12-09
		- Status: Has ~25 known security issues
		- Dependent Apps:
			- Blabber.im 3.0.8, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/de.pixart.messenger.yml#L250
	- WebRTC@M56 from 2016-12-12
		- Status: Has a ton of known security issues
		- Dependent Apps:
			- CSipSimple 1.02.03-2459, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.csipsimple.yml#L58

Apps:
- LibreOffice Viewer 6.1.0 is from 2018-01-26
	- Status: Has ~15 known security issues
	- Dependency Changelog: https://cgit.freedesktop.org/libreoffice/core/commit/?id=484d0ea842da
	- CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-11439/product_id-21008/Libreoffice-Libreoffice.html
- Tinc 0.33 uses lzo-2.10 from 2017-03-01
	- Status: Has 1 security issue?
	- Version Declared: https://github.com/pacien/tincapp/blob/234b97c14fa8df899291b760602b9bfc7abdad36/app/CMakeLists.txt
	- Dependency Changelog: https://www.oberhumer.com/opensource/lzo/
	- Dependency Security Issue(s): https://github.com/ckolivas/lrzip/issues/163