Bug#884095: flag to force file types
Hans-Christoph Steiner
hans at eds.org
Mon Dec 11 11:32:17 UTC 2017
Package: diffoscope
Version: 88
The Janus bug for Android works by making a valid APK file that is also
a valid DEX file.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
Diffoscope sees these files as different file types, so there is no way
to imspect the malware payload. Given this and the issues in file
detection in #849782, there should be a way to force which kind of
comparison that diffoscope does. Something like --force=apk would solve
both.
There are two example files attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HelloWorld.apk
Type: application/vnd.android.package-archive
Size: 9035 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20171211/e08dcdf8/attachment.apk>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HelloWorld-Janus.apk
Type: application/vnd.android.package-archive
Size: 10067 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20171211/e08dcdf8/attachment-0001.apk>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20171211/e08dcdf8/attachment.sig>
More information about the Reproducible-builds
mailing list