Should someone stumble upon the security vulnerability disclosure at openwall.com/lists/oss-securit… – be assured the patches have already been applied at #IzzyOnDroid (and also that androguard is already aware: github.com/androguard/androgua…)
Also see the toot by the original finder: tech.lgbt/@obfusk/113765201775…
Invalid regexp for the certificate · Issue #1097 · androguard/androguard
See: https://www.openwall.com/lists/oss-security/2025/01/03/1 Seems a good idea to patch ;) The regex in question -- ^META-INF/..(DSA|EC|RSA)$ -- is supposed to match all filenames that start with ...GitHub
Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •@eighthave The regex fix is also considered by Androguard, yeah. And I didn't make the POC; that area is not in my expertise¹. I could check if there are any v1-only APKs in our repo² (not aware of any right away, though, but we still have some older apps here – and there are still some older devices around; we support "device longevity" 😉). But v1 IS important here, as we still support signing key rotation³ (and have at least 1 app using that).
(1/2)
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •@eighthave (2/2)
¹ I can follow it, but not create such on my own
² we would need time to set up a script for that; remember we're just a very small team with no grants; most work is still on my shoulders, next to a full-time $dayjob
³ we didn't use your implementation for fdroidserver back in spring but applied the patches provided by Fay, so signing key rotation is still supported at IzzyOnDroid
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •@eighthave (3/2)
"I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability."
I'd rather not wait until an exploit is out-and-about. The patch is easy and not complex. Better safe than sorry. And one should fix (even potential) vulnerabilities *before* they become exploits.
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •@eighthave android.izzysoft.de/articles/n… outlines several of our layers. And you still have one of our scanners in your issuebot – though for some reason that seems not have to be run anymore for quite a long time (I never saw it in issuebot reports for about 2 years now).
You can find our scanning scripts at gitlab.com/IzzyOnDroid/repo (look at the Readme in the lib/ directory). We plan to make them available as Docker/Podman image, but no ETA yet.
Zusätzliche APK-Checks im IzzyOnDroid Repo
IzzyOnDroidHans-Christoph Steiner
in reply to Hans-Christoph Steiner • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •Potential security hazard: `apk_signer_fingerprint()` looks at certs in reverse order that Android checks them (#1128) · Issues · F-Droid / fdroidserver · GitLab
GitLabIzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •@eighthave (4/5) quoting from f-droid.org/2024/05/24/mobifre…
> For more than 14 years, F-Droid has been developing solutions which act as pieces of the alternative mobile ecosystem puzzle. So it was a natural fit for F-Droid to become a contributing partner in the broader Mobifree project.
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •@eighthave (5/5) And looking at Mobifree, from nlnet.nl/mobifree/
> Our goal is to help mobile technology evolve to a more healthy state, provide people with concrete new tools and more reliable infrastructure, in order to provide better security and allow users more agency and choice.
"Better security". Should be the perfect fit for a security issue, no? 😉
NLnet; NGI Mobifree
nlnet.nlHans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •@eighthave I was just wondering, as the corresponding issue carries the Mobifree label. And sorry, we have all hands full with work on IzzyOnDroid – so all we can contribute are those patches, we cannot help you rolling them out at F-Droid.org.
The patches work fine, we use them ourselves. Not sure though how they harmonize with your alternative implementation, which we didn't merge at our end (we use the patches we proposed back then). But we even provide a patch for that variant, please test.
Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Hans-Christoph Steiner • • •Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •Hans-Christoph Steiner
in reply to IzzyOnDroid ✅ • • •Matija Nalis
in reply to Hans-Christoph Steiner • • •@IzzyOnDroid
IzzyOnDroid ✅
in reply to Matija Nalis • • •Matija Nalis
in reply to IzzyOnDroid ✅ • • •Or maybe tag them with that "Vulnerable" flag that F-droid apps (esp. browsers) get occasionally?
IzzyOnDroid ✅
in reply to Matija Nalis • • •