Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1

2024-04-11 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Thu, 2024-04-11 at 11:36 +0200, Jochen Sprickerhof wrote:
>   [ ] the issue is verified as fixed in unstable
> 
[...]
> Upstream is still working on a long term fix that will be uploaded to
> unstable later. I agreed with upstream to use use the patch provided
> in the mail on oss-security already now.

In any case, assuming that the issue affects unstable (which appears to
be the case), it should be fixed there first.

Regards,

Adam

Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1

2024-04-11 Thread Jochen Sprickerhof 

Forgot the patch..
diff --git a/debian/changelog b/debian/changelog
index a990dc45..05aabd67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+fdroidserver (2.2.1-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add patch to fix security issue in certificate checks
+
+ -- Jochen Sprickerhof   Thu, 11 Apr 2024 11:20:33 +0200
+
 fdroidserver (2.2.1-1) unstable; urgency=medium
 
   * New upstream version 2.2.1
diff --git a/debian/patches/0004-Fix-signer-certificate-checks.patch b/debian/patches/0004-Fix-signer-certificate-checks.patch
new file mode 100644
index ..8830d788
--- /dev/null
+++ b/debian/patches/0004-Fix-signer-certificate-checks.patch
@@ -0,0 +1,72 @@
+From: "FC (Fay) Stegerman" 
+Date: Thu, 11 Apr 2024 11:11:46 +0200
+Subject: Fix signer certificate checks
+
+This fixes the order the signatures are checked to be the same as
+Android does them and monkey patches androguard to handle duplicate
+signing blocks.
+
+This was reported as:
+
+https://www.openwall.com/lists/oss-security/2024/04/08/8
+
+Patch taken from:
+
+https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/fdroidserver.patch
+---
+ fdroidserver/common.py | 33 -
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/fdroidserver/common.py b/fdroidserver/common.py
+index bc4265e..bd1a4c8 100644
+--- a/fdroidserver/common.py
 b/fdroidserver/common.py
+@@ -3001,28 +3001,35 @@ def signer_fingerprint(cert_encoded):
+ 
+ def get_first_signer_certificate(apkpath):
+ """Get the first signing certificate from the APK, DER-encoded."""
++class FDict(dict):
++def __setitem__(self, k, v):
++if k not in self:
++super().__setitem__(k, v)
++
+ certs = None
+ cert_encoded = None
+-with zipfile.ZipFile(apkpath, 'r') as apk:
+-cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
+-if len(cert_files) > 1:
+-logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
+-return None
+-elif len(cert_files) == 1:
+-cert_encoded = get_certificate(apk.read(cert_files[0]))
+-
+-if not cert_encoded and use_androguard():
++if use_androguard():
+ apkobject = _get_androguard_APK(apkpath)
+-certs = apkobject.get_certificates_der_v2()
++apkobject._v2_blocks = FDict()
++certs = apkobject.get_certificates_der_v3()
+ if len(certs) > 0:
+-logging.debug(_('Using APK Signature v2'))
++logging.debug(_('Using APK Signature v3'))
+ cert_encoded = certs[0]
+ if not cert_encoded:
+-certs = apkobject.get_certificates_der_v3()
++certs = apkobject.get_certificates_der_v2()
+ if len(certs) > 0:
+-logging.debug(_('Using APK Signature v3'))
++logging.debug(_('Using APK Signature v2'))
+ cert_encoded = certs[0]
+ 
++if not cert_encoded:
++with zipfile.ZipFile(apkpath, 'r') as apk:
++cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
++if len(cert_files) > 1:
++logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
++return None
++elif len(cert_files) == 1:
++cert_encoded = get_certificate(apk.read(cert_files[0]))
++
+ if not cert_encoded:
+ logging.error(_("No signing certificates found in {path}").format(path=apkpath))
+ return None
diff --git a/debian/patches/series b/debian/patches/series
index ab17e6df..8e2df116 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 debian-java-detection.patch
 ignore-irrelevant-test.patch
 scanner-tests-need-dexdump.patch
+0004-Fix-signer-certificate-checks.patch


signature.asc
Description: PGP signature

Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1

2024-04-11 Thread Jochen Sprickerhof 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: fdroidser...@packages.debian.org, Hans-Christoph Steiner 

Control: affects -1 + src:fdroidserver
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
There was a security problem reported against fdroidserver:

https://www.openwall.com/lists/oss-security/2024/04/08/8

[ Impact ]
Stable users of fdroidserver running their own repo could be tricked
into providing wrongly signed files.

[ Tests ]
Manual test on F-Droid internal datasets as well as automated tests
inside fdroidserver.

[ Risks ]
Low, the relevant code is only used to extract and verify signatures.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
The patch reorders the code as well as changes the code of the imported
androguard library.

[ Other info ]
Upstream is still working on a long term fix that will be uploaded to
unstable later. I agreed with upstream to use use the patch provided in
the mail on oss-security already now.