[Android-tools-devel] Bug#1060433: bookworm-pu: package apktool/2.7.0+dfsg-6+deb12u1

Hans-Christoph Steiner hans at eds.org
Thu Jan 11 09:32:44 GMT 2024


Package: release.debian.org
Control: affects -1 + src:apktool
X-Debbugs-Cc: apktool at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]

This fixes CVE-2024-21633.

[ Impact ]

If this is not included, bookworm users will be vulnerable to attacks
when analyzing malicious APKs with apktool.  These attacks will be
able to write/overwrite any file that the user has permission to.

[ Tests ]

The existing autopkgtest covers code/functionality that is patched.

[ Risks ]

It is a very simple fix and problems should be rapidly visible via the
tests.  Worst case, apktool will decompile a file to the wrong
location, but will tell the user the path.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]

Include upstream patch to 2.7.0 to fix CVE-2024-21633.

[ Other info ]

Upstream reached out to help get this updated in Debian, so they
deemed it quite important to fix.  This is the first time upstream has
communicated with the Debian maintainers about this package, IIRC.
-------------- next part --------------
diff -Nru apktool-2.7.0+dfsg/debian/changelog apktool-2.7.0+dfsg/debian/changelog
--- apktool-2.7.0+dfsg/debian/changelog	2023-03-21 09:41:45.000000000 +0100
+++ apktool-2.7.0+dfsg/debian/changelog	2024-01-10 20:08:30.000000000 +0100
@@ -1,3 +1,11 @@
+apktool (2.7.0+dfsg-6+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-21633: Prevent arbitrary file writes with malicious resource
+    names. (Closes: #1060013)
+
+ -- Hans-Christoph Steiner <hans at eds.org>  Wed, 10 Jan 2024 20:08:30 +0100
+
 apktool (2.7.0+dfsg-6) unstable; urgency=medium
 
   * only test APK build on arches with aapt that can do it
diff -Nru apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
--- apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch	1970-01-01 01:00:00.000000000 +0100
+++ apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch	2024-01-10 20:07:42.000000000 +0100
@@ -0,0 +1,92 @@
+From 087f89ebc0dd87e74c8945f074f25b51b195cb83 Mon Sep 17 00:00:00 2001
+From: Connor Tumbleson <iBotPeaches at users.noreply.github.com>
+Date: Tue, 2 Jan 2024 06:11:03 -0500
+Forwarded: https://github.com/iBotPeaches/Apktool/commit/087f89ebc0dd87e74c8945f074f25b51b195cb83
+Subject: [PATCH 1/1] Prevent arbitrary file writes with malicious resource
+ names. (#3484)
+
+CVE-2024-21633
+
+* refactor: rename sanitize function
+
+* fix: expose getDir
+
+* fix: safe handling of untrusted resource names
+
+ - fixes: GHSA-2hqv-2xv4-5h5w
+
+* test: sample file for GHSA-2hqv-2xv4-5h5w
+
+* refactor: avoid detection of absolute files for resource check
+
+* chore: enable info mode on gradle
+
+* test: skip test on windows
+
+* chore: debug windows handling
+
+* fix: normalize entry with file separators
+
+* fix: normalize filepath after cleansing
+
+* chore: Android paths are not OS specific
+
+* refactor: use java.nio for path traversal checking
+
+* chore: align path separator on Windows for Zip files
+
+* chore: rework towards basic directory traversal
+
+* chore: remove '--info' on build.yml
+---
+ .../java/brut/androlib/res/decoder/ResFileDecoder.java    | 8 ++++++++
+ brut.j.util/src/main/java/brut/util/BrutIO.java           | 7 +++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+index a3174411..16ad35f9 100644
+--- a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
++++ b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+@@ -25,6 +25,7 @@ import brut.androlib.res.data.value.ResFileValue;
+ import brut.directory.DirUtil;
+ import brut.directory.Directory;
+ import brut.directory.DirectoryException;
++import brut.util.BrutIO;
+ 
+ import java.io.*;
+ import java.util.Map;
+@@ -47,6 +48,13 @@ public class ResFileDecoder {
+         String outResName = res.getFilePath();
+         String typeName = res.getResSpec().getType().getName();
+ 
++        if (BrutIO.detectPossibleDirectoryTraversal(outResName)) {
++            outResName = inFileName;
++            LOGGER.warning(String.format(
++                "Potentially malicious file path: %s, using instead %s", res.getFilePath(), outResName
++            ));
++        }
++
+         String ext = null;
+         String outFileName;
+         int extPos = inFileName.lastIndexOf(".");
+diff --git a/brut.j.util/src/main/java/brut/util/BrutIO.java b/brut.j.util/src/main/java/brut/util/BrutIO.java
+index 76432638..f99144e0 100644
+--- a/brut.j.util/src/main/java/brut/util/BrutIO.java
++++ b/brut.j.util/src/main/java/brut/util/BrutIO.java
+@@ -94,6 +94,13 @@ public class BrutIO {
+         return canonicalEntryPath.substring(canonicalDirPath.length());
+     }
+ 
++    public static boolean detectPossibleDirectoryTraversal(String entry) {
++        if (OSDetection.isWindows()) {
++            return entry.contains("..\\") || entry.contains("\\..");
++        }
++        return entry.contains("../") || entry.contains("/..");
++    }
++
+     public static String normalizePath(String path) {
+         char separator = File.separatorChar;
+ 
+-- 
+2.39.2
+
diff -Nru apktool-2.7.0+dfsg/debian/patches/series apktool-2.7.0+dfsg/debian/patches/series
--- apktool-2.7.0+dfsg/debian/patches/series	2022-05-02 10:59:52.000000000 +0200
+++ apktool-2.7.0+dfsg/debian/patches/series	2024-01-10 20:08:30.000000000 +0100
@@ -2,3 +2,4 @@
 use_system_framework.patch
 use_system_aapt.patch
 build.patch
+CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch


More information about the Android-tools-devel mailing list