Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <e1ryn8b-002yb0...@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1060433,
regarding bookworm-pu: package apktool/2.7.0+dfsg-6+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1060433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060433
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:apktool
X-Debbugs-Cc: apkt...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
This fixes CVE-2024-21633.
[ Impact ]
If this is not included, bookworm users will be vulnerable to attacks
when analyzing malicious APKs with apktool. These attacks will be
able to write/overwrite any file that the user has permission to.
[ Tests ]
The existing autopkgtest covers code/functionality that is patched.
[ Risks ]
It is a very simple fix and problems should be rapidly visible via the
tests. Worst case, apktool will decompile a file to the wrong
location, but will tell the user the path.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Include upstream patch to 2.7.0 to fix CVE-2024-21633.
[ Other info ]
Upstream reached out to help get this updated in Debian, so they
deemed it quite important to fix. This is the first time upstream has
communicated with the Debian maintainers about this package, IIRC.
diff -Nru apktool-2.7.0+dfsg/debian/changelog
apktool-2.7.0+dfsg/debian/changelog
--- apktool-2.7.0+dfsg/debian/changelog 2023-03-21 09:41:45.000000000 +0100
+++ apktool-2.7.0+dfsg/debian/changelog 2024-01-10 20:08:30.000000000 +0100
@@ -1,3 +1,11 @@
+apktool (2.7.0+dfsg-6+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2024-21633: Prevent arbitrary file writes with malicious resource
+ names. (Closes: #1060013)
+
+ -- Hans-Christoph Steiner <h...@eds.org> Wed, 10 Jan 2024 20:08:30 +0100
+
apktool (2.7.0+dfsg-6) unstable; urgency=medium
* only test APK build on arches with aapt that can do it
diff -Nru
apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
---
apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
1970-01-01 01:00:00.000000000 +0100
+++
apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
2024-01-10 20:07:42.000000000 +0100
@@ -0,0 +1,92 @@
+From 087f89ebc0dd87e74c8945f074f25b51b195cb83 Mon Sep 17 00:00:00 2001
+From: Connor Tumbleson <ibotpeac...@users.noreply.github.com>
+Date: Tue, 2 Jan 2024 06:11:03 -0500
+Forwarded:
https://github.com/iBotPeaches/Apktool/commit/087f89ebc0dd87e74c8945f074f25b51b195cb83
+Subject: [PATCH 1/1] Prevent arbitrary file writes with malicious resource
+ names. (#3484)
+
+CVE-2024-21633
+
+* refactor: rename sanitize function
+
+* fix: expose getDir
+
+* fix: safe handling of untrusted resource names
+
+ - fixes: GHSA-2hqv-2xv4-5h5w
+
+* test: sample file for GHSA-2hqv-2xv4-5h5w
+
+* refactor: avoid detection of absolute files for resource check
+
+* chore: enable info mode on gradle
+
+* test: skip test on windows
+
+* chore: debug windows handling
+
+* fix: normalize entry with file separators
+
+* fix: normalize filepath after cleansing
+
+* chore: Android paths are not OS specific
+
+* refactor: use java.nio for path traversal checking
+
+* chore: align path separator on Windows for Zip files
+
+* chore: rework towards basic directory traversal
+
+* chore: remove '--info' on build.yml
+---
+ .../java/brut/androlib/res/decoder/ResFileDecoder.java | 8 ++++++++
+ brut.j.util/src/main/java/brut/util/BrutIO.java | 7 +++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git
a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+index a3174411..16ad35f9 100644
+---
a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
++++
b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+@@ -25,6 +25,7 @@ import brut.androlib.res.data.value.ResFileValue;
+ import brut.directory.DirUtil;
+ import brut.directory.Directory;
+ import brut.directory.DirectoryException;
++import brut.util.BrutIO;
+
+ import java.io.*;
+ import java.util.Map;
+@@ -47,6 +48,13 @@ public class ResFileDecoder {
+ String outResName = res.getFilePath();
+ String typeName = res.getResSpec().getType().getName();
+
++ if (BrutIO.detectPossibleDirectoryTraversal(outResName)) {
++ outResName = inFileName;
++ LOGGER.warning(String.format(
++ "Potentially malicious file path: %s, using instead %s",
res.getFilePath(), outResName
++ ));
++ }
++
+ String ext = null;
+ String outFileName;
+ int extPos = inFileName.lastIndexOf(".");
+diff --git a/brut.j.util/src/main/java/brut/util/BrutIO.java
b/brut.j.util/src/main/java/brut/util/BrutIO.java
+index 76432638..f99144e0 100644
+--- a/brut.j.util/src/main/java/brut/util/BrutIO.java
++++ b/brut.j.util/src/main/java/brut/util/BrutIO.java
+@@ -94,6 +94,13 @@ public class BrutIO {
+ return canonicalEntryPath.substring(canonicalDirPath.length());
+ }
+
++ public static boolean detectPossibleDirectoryTraversal(String entry) {
++ if (OSDetection.isWindows()) {
++ return entry.contains("..\\") || entry.contains("\\..");
++ }
++ return entry.contains("../") || entry.contains("/..");
++ }
++
+ public static String normalizePath(String path) {
+ char separator = File.separatorChar;
+
+--
+2.39.2
+
diff -Nru apktool-2.7.0+dfsg/debian/patches/series
apktool-2.7.0+dfsg/debian/patches/series
--- apktool-2.7.0+dfsg/debian/patches/series 2022-05-02 10:59:52.000000000
+0200
+++ apktool-2.7.0+dfsg/debian/patches/series 2024-01-10 20:08:30.000000000
+0100
@@ -2,3 +2,4 @@
use_system_framework.patch
use_system_aapt.patch
build.patch
+CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
--- End Message ---
--- Begin Message ---
Version: 12.5
The upload requested in this bug has been released as part of 12.5.
--- End Message ---
