Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
floss.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
For people who care about, support, and build Free, Libre, and Open Source Software (FLOSS).

Administered by:

Server stats:

685
active users

floss.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
IzzyOnDroid ✅

Should someone stumble upon the security vulnerability disclosure at openwall.com/lists/oss-securit – be assured the patches have already been applied at (and also that androguard is already aware: github.com/androguard/androgua)

Also see the toot by the original finder: tech.lgbt/@obfusk/113765201775

openwall.comoss-security - Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass
#security
Public
Hans-Christoph Steiner

@IzzyOnDroid the regex fix is a good one, we'll look into merging that. I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability. APKs signed by v1-only are not even installable on latest Android versions, and Android 7.0 and above support v2+ signatures. Looks like obfusk's proof of concept is a v1-only APK. Do you even ship v1-only APKs in IzzySoft anymore?

Public
IzzyOnDroid ✅

@eighthave The regex fix is also considered by Androguard, yeah. And I didn't make the POC; that area is not in my expertise¹. I could check if there are any v1-only APKs in our repo² (not aware of any right away, though, but we still have some older apps here – and there are still some older devices around; we support "device longevity" 😉). But v1 IS important here, as we still support signing key rotation³ (and have at least 1 app using that).

(1/2)

Quiet public
IzzyOnDroid ✅

@eighthave (2/2)

¹ I can follow it, but not create such on my own
² we would need time to set up a script for that; remember we're just a very small team with no grants; most work is still on my shoulders, next to a full-time $dayjob
³ we didn't use your implementation for fdroidserver back in spring but applied the patches provided by Fay, so signing key rotation is still supported at IzzyOnDroid

Quiet public
IzzyOnDroid ✅

@eighthave (3/2)

"I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability."

I'd rather not wait until an exploit is out-and-about. The patch is easy and not complex. Better safe than sorry. And one should fix (even potential) vulnerabilities *before* they become exploits.

IzzyOnDroid ✅

@eighthave And PPS: That POC APK installed fine on Android 13 & 14 (targetSDK is < 30, as with the F-Droid client) 🤷‍♂️

Jan 08, 2025, 05:37 PM·Quiet public
0boosts·1favorite
Explore
About