Forgot the patch..
diff --git a/debian/changelog b/debian/changelog index a990dc45..05aabd67 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +fdroidserver (2.2.1-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * Add patch to fix security issue in certificate checks + + -- Jochen Sprickerhof <jspri...@debian.org> Thu, 11 Apr 2024 11:20:33 +0200 + fdroidserver (2.2.1-1) unstable; urgency=medium * New upstream version 2.2.1 diff --git a/debian/patches/0004-Fix-signer-certificate-checks.patch b/debian/patches/0004-Fix-signer-certificate-checks.patch new file mode 100644 index 00000000..8830d788 --- /dev/null +++ b/debian/patches/0004-Fix-signer-certificate-checks.patch @@ -0,0 +1,72 @@ +From: "FC (Fay) Stegerman" <f...@obfusk.net> +Date: Thu, 11 Apr 2024 11:11:46 +0200 +Subject: Fix signer certificate checks + +This fixes the order the signatures are checked to be the same as +Android does them and monkey patches androguard to handle duplicate +signing blocks. + +This was reported as: + +https://www.openwall.com/lists/oss-security/2024/04/08/8 + +Patch taken from: + +https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/fdroidserver.patch +--- + fdroidserver/common.py | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/fdroidserver/common.py b/fdroidserver/common.py +index bc4265e..bd1a4c8 100644 +--- a/fdroidserver/common.py ++++ b/fdroidserver/common.py +@@ -3001,28 +3001,35 @@ def signer_fingerprint(cert_encoded): + + def get_first_signer_certificate(apkpath): + """Get the first signing certificate from the APK, DER-encoded.""" ++ class FDict(dict): ++ def __setitem__(self, k, v): ++ if k not in self: ++ super().__setitem__(k, v) ++ + certs = None + cert_encoded = None +- with zipfile.ZipFile(apkpath, 'r') as apk: +- cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)] +- if len(cert_files) > 1: +- logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath)) +- return None +- elif len(cert_files) == 1: +- cert_encoded = get_certificate(apk.read(cert_files[0])) +- +- if not cert_encoded and use_androguard(): ++ if use_androguard(): + apkobject = _get_androguard_APK(apkpath) +- certs = apkobject.get_certificates_der_v2() ++ apkobject._v2_blocks = FDict() ++ certs = apkobject.get_certificates_der_v3() + if len(certs) > 0: +- logging.debug(_('Using APK Signature v2')) ++ logging.debug(_('Using APK Signature v3')) + cert_encoded = certs[0] + if not cert_encoded: +- certs = apkobject.get_certificates_der_v3() ++ certs = apkobject.get_certificates_der_v2() + if len(certs) > 0: +- logging.debug(_('Using APK Signature v3')) ++ logging.debug(_('Using APK Signature v2')) + cert_encoded = certs[0] + ++ if not cert_encoded: ++ with zipfile.ZipFile(apkpath, 'r') as apk: ++ cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)] ++ if len(cert_files) > 1: ++ logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath)) ++ return None ++ elif len(cert_files) == 1: ++ cert_encoded = get_certificate(apk.read(cert_files[0])) ++ + if not cert_encoded: + logging.error(_("No signing certificates found in {path}").format(path=apkpath)) + return None diff --git a/debian/patches/series b/debian/patches/series index ab17e6df..8e2df116 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ debian-java-detection.patch ignore-irrelevant-test.patch scanner-tests-need-dexdump.patch +0004-Fix-signer-certificate-checks.patch
signature.asc
Description: PGP signature