last updated: 2023/01/15

Preface:
- This is a list of dependencies and apps that may have known vulnerabilities
- These apps may not actually expose the vulnerable functionality
- These apps may have mechanisms in places to mitigate the vulnerable functionality
- The primary focus is F-Droid variants of the apps, upstream versions may not be impacted
- This is not meant to be treated as "perfectly correct" or any form of audit, just a cursory check
- This document has been refreshed a handful of times, but it is quite time consuming to keep updated

See something wrong? Open an issue or merge request:
- https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/static/misc/appsec.txt
- https://github.com/Divested-Mobile/DivestOS-Website/blob/master/static/misc/appsec.txt
- https://codeberg.org/divested-mobile/divestos-website/src/branch/master/static/misc/appsec.txt

Libraries:
- iText
	- Changelog: https://github.com/itext/itextpdf/releases
	- com.itextpdf:itextg:5.5.10 from 2016-10-07
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- Attestation de déplacement 3.7.0:
				- Reference: https://github.com/AdrienPoupa/AttestationDeplacement/blob/3.7.0/app/build.gradle#L42
				- Report: https://github.com/AdrienPoupa/AttestationDeplacement/issues/131
					- Repository was archived after reporting
			- PDF Creator 3.8:
				- Reference: https://github.com/scoute-dich/PDFCreator/blob/v3.8/app/build.gradle#L34
				- Repository archived, not reported
		- Projects to keep an eye on:
			- https://github.com/Swati4star/Images-to-PDF/
	- com.itextpdf:itextg:5.5.6 from 2015-05-08
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- ePUBator 0.12:
				- Reference: https://sourceforge.net/p/epubator/code/ci/master/tree/ePUBator/lib/
				- App hasn't been updated since 2015, not reported
- MuPDF
	- Changelog: https://mupdf.com/releases/history.html
	- CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-10846/product_id-20840/Artifex-Mupdf.html
	- MuPDF 1.16.1 from 2019-08-02
		- Status: Has ~5 known security issues
		- Dependent Apps:
			- Orion Viewer 0.81.2:
				- Reference: https://github.com/max-kammerer/orion-viewer/commits/0.81.2_fdroid/nativeLibs/mupdfModule
				- Report: https://github.com/max-kammerer/orion-viewer/issues/40
	- MuPDF 1.11 from 2017-04-11
		- Status: Has ~31 known security issues
		- Dependent Apps:
			- Librera Reader 8.8.5
				- Reference: https://github.com/foobnix/LibreraReader/blob/8.8.5/app/src/main/java/com/foobnix/pdf/info/AppsConfig.java#L30
				- Reference: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.foobnix.pro.pdf.reader.yml#L318
				- Report: https://github.com/foobnix/LibreraReader/issues/1030
				- app includes both MuPDF 1.11 as the default and for legacy Android 4.0 compatibility
				- app optionally has MuPDF 1.20.4 that a user can choose to use
			- Document Viewer 2.8.2
				- Reference: https://github.com/SufficientlySecure/document-viewer/commits/v2.8.2/document-viewer/jni/mupdf
					- Note has 4 issues patched: https://github.com/SufficientlySecure/document-viewer/commit/0bfb13b1b65cc27145b4526a3c2564ecdb468674
				- Report: https://github.com/SufficientlySecure/document-viewer/issues/277
				- Unmaintained
	- Ancient versions (unmaintained and not reported):
		- APV PDF Viewer 0.4.0, Reference: https://github.com/mpietrzak/apv/tree/a6510d26791fdd94baecaaf346dfc821e76bd8da/pdfview/deps
		- PDF Reader 0.4.0, Reference: https://github.com/droidapps/pdfreader4Android/tree/0.4.0-patched/jni/mupdf/pdf
		- VuDroid 1.4, Reference: was on now defunct Google Code
- PDF.js:
	- Changelog: https://github.com/mozilla/pdf.js/releases
	- PDF.js 1.5.188 from 2016-04-21
		- Status: Has ~1 known security issues
		- Dependent Apps:
			- CuprumPDF v1.3.0
				- Reference: https://github.com/paride/CopperPDF/blob/v1.3.0/app/src/main/assets/pdf.js#L31
				- Repository archived, not reported
- PDFium
	- CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PDFium
	- com.github.barteksc:android-pdf-viewer:3.2.0 using PDFium@32b639d from 2016-01-14
		- Implementer Libraries:
			- https://github.com/barteksc/AndroidPdfViewer/blob/d243b39377f19c3eae41e227067da254ebbf731b/android-pdf-viewer/build.gradle#L41
			- https://github.com/barteksc/PdfiumAndroid/tree/pdfium-android-1.9.0
		- Status: Has ~60 known security issues
		- Dependency Changelog: https://pdfium.googlesource.com/pdfium/+log/32b639de35f905a5e5559f305d9032cde5ae5c77
		- Dependent Apps:
			- Pdf Viewer Plus 3.7
				- Reference: https://github.com/JavaCafe01/PdfViewer/blob/v3.7/app/build.gradle#L79
				- Report: https://github.com/JavaCafe01/PdfViewer/issues/175
					- Repository was archived after reporting
			- /e/OS PDF Viewer
				- Reference: https://gitlab.e.foundation/e/os/pdfviewer/-/blob/0d7ac995a928f37d10988222a31a14a8458582a5/app/build.gradle#L95
				- no account, not reported
			- Sav PDF Viewer Pro 1.9
				- Reference: https://github.com/Sav22999/sav-pdf-viewer-pro/blob/1.9/app/build.gradle#L54
				- Report: https://github.com/Sav22999/sav-pdf-viewer-pro/issues/28
	- Projects to keep an eye on:
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.github.axet.bookreader.yml
		- https://gitlab.com/iode/os/apps/PdfViewerPlus
- WebRTC
	- Changelog:
		- https://groups.google.com/g/discuss-webrtc/search?q=psa%20release%20notes
		- https://webrtc.github.io/webrtc-org/release-notes/
	- CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chrom%20webrtc
	- TODO: check ch.threema:webrtc-android:100.0.0
		- M100 notably has no release notes
		- and is before CVE-2022-2294 was fixed
	- WebRTC@M56 from 2016-12-12
		- Status: Has a ton of known security issues
		- Dependent Apps:
			- CSipSimple 1.02.03-2459, Reference: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.csipsimple.yml#L58
	- Projets to keep an eye on:
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.cweb.messenger.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/de.monocles.chat.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/de.pixart.messenger.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/eu.siacs.conversations.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/eu.sum7.conversations.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/im.quicksy.client.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/org.snikket.android.yml
		- https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.cheogram.android.yml

Apps:
- Tinc 0.33 uses lzo-2.10 from 2017-03-01
	- Status: Has 1 security issue?
	- Version Declared: https://github.com/pacien/tincapp/blob/234b97c14fa8df899291b760602b9bfc7abdad36/app/CMakeLists.txt
	- Dependency Changelog: https://www.oberhumer.com/opensource/lzo/
	- Dependency Security Issue(s): https://github.com/ckolivas/lrzip/issues/163