Bug#988789: diffoscope: .so files are compared using a binary diff in Android APKs
Hans-Christoph Steiner
hans at eds.org
Wed May 19 17:25:26 BST 2021
Package: diffoscope
Version: 172~bpo10+1
Severity: important
APKs (Android app files) often contain Linux ELF shared library files, e.g.
lib/arm64-v8a/libtor.so. These are only compared using a binary diff, but they
should use the shared library comparison. The output looks like:
├── lib/arm64-v8a/libtor.so
│┄ Command `'strings --all --bytes=8 {}'` failed with exit code 1. Standard
output:
│┄ /usr/bin/strings:
'/tmp/diffoscope_4_ifbg_p_release/tmpqowyi8ycapk/org.torproject.torservices_2004.apk/lib/arm64-v8a/libtor.so':
No such file
│ @@ -386405,15 +386405,15 @@
│ 005e5640: 0800 0000 0000 0000 0000 0000 0000 0000 ................
│ 005e5650: 5d00 0000 0400 0000 0200 0000 0000 0000 ]...............
│ 005e5660: 08cc 0a00 0000 0000 08cc 0a00 0000 0000 ................
│ 005e5670: d06f 0500 0000 0000 0500 0000 0000 0000 .o..............
│ 005e5680: 0800 0000 0000 0000 1800 0000 0000 0000 ................
│ 005e5690: 6700 0000 0400 0000 4200 0000 0000 0000 g.......B.......
│ 005e56a0: d83b 1000 0000 0000 d83b 1000 0000 0000 .;.......;......
│ -005e56b0: b016 0000 0000 0000 0500 0000 0b00 0000 ................
│ +005e56b0: b016 0000 0000 0000 0500 0000 1500 0000 ................
│ 005e56c0: 0800 0000 0000 0000 1800 0000 0000 0000 ................
│ 005e56d0: 6c00 0000 0100 0000 0600 0000 0000 0000 l...............
│ 005e56e0: 9052 1000 0000 0000 9052 1000 0000 0000 .R.......R......
│ 005e56f0: 400f 0000 0000 0000 0000 0000 0000 0000 @...............
│ 005e5700: 1000 0000 0000 0000 1000 0000 0000 0000 ................
│ 005e5710: 7100 0000 0100 0000 0600 0000 0000 0000 q...............
│ 005e5720: 0070 1000 0000 0000 0070 1000 0000 0000 .p.......p......
When running diffoscope directly on the extracted libtor.so files, then I get
useful output:
--- ./ciarang/lib/arm64-v8a/libtor.so
+++
./app/build/intermediates/stripped_native_libs/release/out/lib/arm64-v8a/libtor.so
├── readelf --wide --sections {}
│ @@ -8,15 +8,15 @@
│ [ 3] .hash HASH 00000000000002e8 0002e8 012eb8 04
A 5 0 8
│ [ 4] .gnu.hash GNU_HASH 00000000000131a0 0131a0 014ae4 00
A 5 0 8
│ [ 5] .dynsym DYNSYM 0000000000027c88 027c88 041688 18
A 6 3 8
│ [ 6] .dynstr STRTAB 0000000000069310 069310 03e17b 00
A 0 0 1
│ [ 7] .gnu.version VERSYM 00000000000a748c 0a748c 005736 02
A 5 0 2
│ [ 8] .gnu.version_r VERNEED 00000000000acbc8 0acbc8 000040 00
A 6 2 8
│ [ 9] .rela.dyn RELA 00000000000acc08 0acc08 056fd0 18
A 5 0 8
│ - [10] .rela.plt RELA 0000000000103bd8 103bd8 0016b0 18
AI 5 11 8
│ + [10] .rela.plt RELA 0000000000103bd8 103bd8 0016b0 18
AI 5 21 8
│ [11] .plt PROGBITS 0000000000105290 105290 000f40 10
AX 0 0 16
│ [12] .text PROGBITS 0000000000107000 107000 392da4 00
AX 0 0 4096
│ [13] .rodata PROGBITS 0000000000499db0 499db0 0c5418 00
A 0 0 16
│ [14] .eh_frame_hdr PROGBITS 000000000055f1c8 55f1c8 00af84 00
A 0 0 4
│ [15] .eh_frame PROGBITS 000000000056a150 56a150 031280 00
A 0 0 8
│ [16] .preinit_array PREINIT_ARRAY 000000000059cae0 59bae0 000010 08
WA 0 0 8
│ [17] .init_array INIT_ARRAY 000000000059caf0 59baf0 000018 08
WA 0 0 8
├── readelf --wide --decompress --hex-dump=.plt {}
│ @@ -1,10 +1,9 @@
│
│ Hex dump of section '.plt':
│ - NOTE: This section has relocations against it, but these have NOT been
applied to this dump.
│ 0x00105290 f07bbfa9 90260090 11b644f9 10a22591 .{...&....D...%.
│ 0x001052a0 20021fd6 1f2003d5 1f2003d5 1f2003d5 .... ... ... ..
│ 0x001052b0 90260090 11ba44f9 10c22591 20021fd6 .&....D...%. ...
│ 0x001052c0 90260090 11be44f9 10e22591 20021fd6 .&....D...%. ...
│ 0x001052d0 90260090 11c244f9 10022691 20021fd6 .&....D...&. ...
│ 0x001052e0 90260090 11c644f9 10222691 20021fd6 .&....D.."&. ...
│ 0x001052f0 90260090 11ca44f9 10422691 20021fd6 .&....D..B&. ...
├── readelf --wide --decompress --hex-dump=.got {}
│ @@ -1,9 +1,10 @@
│
│ Hex dump of section '.got':
│ + NOTE: This section has relocations against it, but these have NOT been
applied to this dump.
│ 0x005d5958 00000000 00000000 00000000 00000000 ................
│ 0x005d5968 00000000 00000000 90521000 00000000 .........R......
│ 0x005d5978 90521000 00000000 90521000 00000000 .R.......R......
│ 0x005d5988 90521000 00000000 90521000 00000000 .R.......R......
│ 0x005d5998 90521000 00000000 90521000 00000000 .R.......R......
│ 0x005d59a8 90521000 00000000 90521000 00000000 .R.......R......
│ 0x005d59b8 90521000 00000000 90521000 00000000 .R.......R......
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-16-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages diffoscope depends on:
ii diffoscope-minimal 172~bpo10+1
Versions of packages diffoscope recommends:
ii abootimg 0.6-1+b2
ii acl 2.2.53-4
ii apksigner 30.0.3-4
ii apktool 2.4.1-1
ii binutils-multiarch 2.31.1-16
ii bzip2 1.0.6-9.2~deb10u1
ii caca-utils 0.99.beta19-2.1
ii colord 1.4.3-4
ii db-util 5.3.1+nmu1
ii default-jdk [java-sdk] 2:1.11-71
ii default-jdk-headless 2:1.11-71
ii device-tree-compiler 1.4.7-4
ii docx2txt 1.4-1
ii e2fsprogs 1.44.5-1+deb10u3
ii enjarify 1:1.0.3-4
ii ffmpeg 7:4.1.6-1~deb10u1
ii fontforge-extras 0.3-4
ii fp-utils 3.0.4+dfsg-22
ii fp-utils-3.0.4 [fp-utils] 3.0.4+dfsg-22
ii genisoimage 9:1.1.11-3+b2
ii gettext 0.19.8.1-9
ii ghc 8.4.4+dfsg1-3
ii ghostscript 9.27~dfsg-2+deb10u4
ii giflib-tools 5.1.4-3
ii gnumeric 1.12.44-1
ii gnupg 2.2.12-1+deb10u1
ii gnupg-utils 2.2.12-1+deb10u1
ii hdf5-tools 1.10.4+repack-10
ii imagemagick 8:6.9.10.23+dfsg-2.1+deb10u1
ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2.1+deb10u1
ii jsbeautifier 1.6.4-7
ii libarchive-tools 3.3.3-4+deb10u1
ii llvm 1:7.0-47
ii lz4 [liblz4-tool] 1.8.3-1
ii mono-utils 5.18.0.240+dfsg-3
ii ocaml-nox 4.05.0-11
ii odt2txt 0.5-1+b2
ii oggvideotools 0.9.1-5
ii openjdk-11-jdk [java-sdk] 11.0.11+9-1~deb10u1
ii openssh-client 1:7.9p1-10+deb10u2
ii openssl 1.1.1d-0+deb10u6
ii pgpdump 0.33-1
ii poppler-utils 0.71.0-5
ii procyon-decompiler 0.5.32-5
ii python3-argcomplete 1.8.1-1
ii python3-binwalk 2.1.2~git20180830+dfsg1-1
ii python3-debian 0.1.35
ii python3-defusedxml 0.5.0-2
ii python3-guestfs 1:1.40.2-2
ii python3-jsondiff 1.1.1-2
ii python3-pdfminer 20181108+dfsg-3
ii python3-progressbar 2.5-1
ii python3-pypdf2 1.26.0-2
ii python3-pyxattr 0.6.1-1
ii python3-rpm 4.14.2.1+dfsg1-1
ii python3-tlsh 3.4.4+20151206-1.1
ii r-base-core 3.5.2-1
pn radare2 <none>
ii rpm2cpio 4.14.2.1+dfsg1-1
ii sng 1.1.0-1+b1
ii sqlite3 3.27.2-3+deb10u1
ii squashfs-tools 1:4.3-12
ii tcpdump 4.9.3-1~deb10u2
ii u-boot-tools 2019.01+dfsg-7
ii unzip 6.0-23+deb10u2
ii vim-common 2:8.1.0875-5
ii wabt 1.0.8-1
ii xmlbeans 3.0.2-1
ii xxd 2:8.1.0875-5
ii xz-utils 5.2.4-1
ii zip 3.0-11+b1
ii zstd 1.4.4+dfsg-3~bpo10+1
Versions of packages diffoscope suggests:
ii libjs-jquery 3.3.1~dfsg-3+deb10u1
-- no debconf information
More information about the Reproducible-builds
mailing list