Bug#1060433: bookworm-pu: package apktool/2.7.0+dfsg-6+deb12u1
Package: release.debian.org
Control: affects -1 + src:apktool
X-Debbugs-Cc: apktool@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
This fixes CVE-2024-21633.
[ Impact ]
If this is not included, bookworm users will be vulnerable to attacks
when analyzing malicious APKs with apktool. These attacks will be
able to write/overwrite any file that the user has permission to.
[ Tests ]
The existing autopkgtest covers code/functionality that is patched.
[ Risks ]
It is a very simple fix and problems should be rapidly visible via the
tests. Worst case, apktool will decompile a file to the wrong
location, but will tell the user the path.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Include upstream patch to 2.7.0 to fix CVE-2024-21633.
[ Other info ]
Upstream reached out to help get this updated in Debian, so they
deemed it quite important to fix. This is the first time upstream has
communicated with the Debian maintainers about this package, IIRC.
diff -Nru apktool-2.7.0+dfsg/debian/changelog apktool-2.7.0+dfsg/debian/changelog
--- apktool-2.7.0+dfsg/debian/changelog 2023-03-21 09:41:45.000000000 +0100
+++ apktool-2.7.0+dfsg/debian/changelog 2024-01-10 20:08:30.000000000 +0100
@@ -1,3 +1,11 @@
+apktool (2.7.0+dfsg-6+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2024-21633: Prevent arbitrary file writes with malicious resource
+ names. (Closes: #1060013)
+
+ -- Hans-Christoph Steiner <hans@eds.org> Wed, 10 Jan 2024 20:08:30 +0100
+
apktool (2.7.0+dfsg-6) unstable; urgency=medium
* only test APK build on arches with aapt that can do it
diff -Nru apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
--- apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch 1970-01-01 01:00:00.000000000 +0100
+++ apktool-2.7.0+dfsg/debian/patches/CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch 2024-01-10 20:07:42.000000000 +0100
@@ -0,0 +1,92 @@
+From 087f89ebc0dd87e74c8945f074f25b51b195cb83 Mon Sep 17 00:00:00 2001
+From: Connor Tumbleson <iBotPeaches@users.noreply.github.com>
+Date: Tue, 2 Jan 2024 06:11:03 -0500
+Forwarded: https://github.com/iBotPeaches/Apktool/commit/087f89ebc0dd87e74c8945f074f25b51b195cb83
+Subject: [PATCH 1/1] Prevent arbitrary file writes with malicious resource
+ names. (#3484)
+
+CVE-2024-21633
+
+* refactor: rename sanitize function
+
+* fix: expose getDir
+
+* fix: safe handling of untrusted resource names
+
+ - fixes: GHSA-2hqv-2xv4-5h5w
+
+* test: sample file for GHSA-2hqv-2xv4-5h5w
+
+* refactor: avoid detection of absolute files for resource check
+
+* chore: enable info mode on gradle
+
+* test: skip test on windows
+
+* chore: debug windows handling
+
+* fix: normalize entry with file separators
+
+* fix: normalize filepath after cleansing
+
+* chore: Android paths are not OS specific
+
+* refactor: use java.nio for path traversal checking
+
+* chore: align path separator on Windows for Zip files
+
+* chore: rework towards basic directory traversal
+
+* chore: remove '--info' on build.yml
+---
+ .../java/brut/androlib/res/decoder/ResFileDecoder.java | 8 ++++++++
+ brut.j.util/src/main/java/brut/util/BrutIO.java | 7 +++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+index a3174411..16ad35f9 100644
+--- a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
++++ b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
+@@ -25,6 +25,7 @@ import brut.androlib.res.data.value.ResFileValue;
+ import brut.directory.DirUtil;
+ import brut.directory.Directory;
+ import brut.directory.DirectoryException;
++import brut.util.BrutIO;
+
+ import java.io.*;
+ import java.util.Map;
+@@ -47,6 +48,13 @@ public class ResFileDecoder {
+ String outResName = res.getFilePath();
+ String typeName = res.getResSpec().getType().getName();
+
++ if (BrutIO.detectPossibleDirectoryTraversal(outResName)) {
++ outResName = inFileName;
++ LOGGER.warning(String.format(
++ "Potentially malicious file path: %s, using instead %s", res.getFilePath(), outResName
++ ));
++ }
++
+ String ext = null;
+ String outFileName;
+ int extPos = inFileName.lastIndexOf(".");
+diff --git a/brut.j.util/src/main/java/brut/util/BrutIO.java b/brut.j.util/src/main/java/brut/util/BrutIO.java
+index 76432638..f99144e0 100644
+--- a/brut.j.util/src/main/java/brut/util/BrutIO.java
++++ b/brut.j.util/src/main/java/brut/util/BrutIO.java
+@@ -94,6 +94,13 @@ public class BrutIO {
+ return canonicalEntryPath.substring(canonicalDirPath.length());
+ }
+
++ public static boolean detectPossibleDirectoryTraversal(String entry) {
++ if (OSDetection.isWindows()) {
++ return entry.contains("..\\") || entry.contains("\\..");
++ }
++ return entry.contains("../") || entry.contains("/..");
++ }
++
+ public static String normalizePath(String path) {
+ char separator = File.separatorChar;
+
+--
+2.39.2
+
diff -Nru apktool-2.7.0+dfsg/debian/patches/series apktool-2.7.0+dfsg/debian/patches/series
--- apktool-2.7.0+dfsg/debian/patches/series 2022-05-02 10:59:52.000000000 +0200
+++ apktool-2.7.0+dfsg/debian/patches/series 2024-01-10 20:08:30.000000000 +0100
@@ -2,3 +2,4 @@
use_system_framework.patch
use_system_aapt.patch
build.patch
+CVE-2024-21633-Prevent-arbitrary-file-writes-with-malicious-resourc.patch
Reply to: