[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1

Forgot the patch..

diff --git a/debian/changelog b/debian/changelog
index a990dc45..05aabd67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+fdroidserver (2.2.1-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add patch to fix security issue in certificate checks
+
+ -- Jochen Sprickerhof <jspricke@debian.org>  Thu, 11 Apr 2024 11:20:33 +0200
+
 fdroidserver (2.2.1-1) unstable; urgency=medium
 
   * New upstream version 2.2.1
diff --git a/debian/patches/0004-Fix-signer-certificate-checks.patch b/debian/patches/0004-Fix-signer-certificate-checks.patch
new file mode 100644
index 00000000..8830d788
--- /dev/null
+++ b/debian/patches/0004-Fix-signer-certificate-checks.patch
@@ -0,0 +1,72 @@
+From: "FC (Fay) Stegerman" <flx@obfusk.net>
+Date: Thu, 11 Apr 2024 11:11:46 +0200
+Subject: Fix signer certificate checks
+
+This fixes the order the signatures are checked to be the same as
+Android does them and monkey patches androguard to handle duplicate
+signing blocks.
+
+This was reported as:
+
+https://www.openwall.com/lists/oss-security/2024/04/08/8
+
+Patch taken from:
+
+https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/fdroidserver.patch
+---
+ fdroidserver/common.py | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/fdroidserver/common.py b/fdroidserver/common.py
+index bc4265e..bd1a4c8 100644
+--- a/fdroidserver/common.py
++++ b/fdroidserver/common.py
+@@ -3001,28 +3001,35 @@ def signer_fingerprint(cert_encoded):
+ 
+ def get_first_signer_certificate(apkpath):
+     """Get the first signing certificate from the APK, DER-encoded."""
++    class FDict(dict):
++        def __setitem__(self, k, v):
++            if k not in self:
++                super().__setitem__(k, v)
++
+     certs = None
+     cert_encoded = None
+-    with zipfile.ZipFile(apkpath, 'r') as apk:
+-        cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
+-        if len(cert_files) > 1:
+-            logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
+-            return None
+-        elif len(cert_files) == 1:
+-            cert_encoded = get_certificate(apk.read(cert_files[0]))
+-
+-    if not cert_encoded and use_androguard():
++    if use_androguard():
+         apkobject = _get_androguard_APK(apkpath)
+-        certs = apkobject.get_certificates_der_v2()
++        apkobject._v2_blocks = FDict()
++        certs = apkobject.get_certificates_der_v3()
+         if len(certs) > 0:
+-            logging.debug(_('Using APK Signature v2'))
++            logging.debug(_('Using APK Signature v3'))
+             cert_encoded = certs[0]
+         if not cert_encoded:
+-            certs = apkobject.get_certificates_der_v3()
++            certs = apkobject.get_certificates_der_v2()
+             if len(certs) > 0:
+-                logging.debug(_('Using APK Signature v3'))
++                logging.debug(_('Using APK Signature v2'))
+                 cert_encoded = certs[0]
+ 
++    if not cert_encoded:
++        with zipfile.ZipFile(apkpath, 'r') as apk:
++            cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
++            if len(cert_files) > 1:
++                logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
++                return None
++            elif len(cert_files) == 1:
++                cert_encoded = get_certificate(apk.read(cert_files[0]))
++
+     if not cert_encoded:
+         logging.error(_("No signing certificates found in {path}").format(path=apkpath))
+         return None
diff --git a/debian/patches/series b/debian/patches/series
index ab17e6df..8e2df116 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 debian-java-detection.patch
 ignore-irrelevant-test.patch
 scanner-tests-need-dexdump.patch
+0004-Fix-signer-certificate-checks.patch

Attachment: signature.asc
Description: PGP signature

Reply to: