[Git][reproducible-builds/reproducible-website][master] 2024-04: fix paragraph about my work

FC (Fay) Stegerman (@obfusk) gitlab at salsa.debian.org
Thu May 9 01:58:01 UTC 2024 


FC (Fay) Stegerman pushed to branch master at Reproducible Builds / reproducible-website


Commits:
013d861f by FC (Fay) Stegerman at 2024-05-09T03:57:40+02:00
2024-04: fix paragraph about my work

- - - - -


1 changed file:

- _reports/2024-04.md


Changes:

=====================================
_reports/2024-04.md
=====================================
@@ -42,13 +42,13 @@ Later in the most, Morten mentions that he was motivated to write the post becau
 
 <br>
 
-### Certificate vulnerabilities in Android's `apksigner`
+### Certificate vulnerabilities in F-Droid's `fdroidserver`
 
-In early April, Fay Stegerman [announced a certificate pinning bypass vulnerability and Proof of Concept (PoC)](https://www.openwall.com/lists/oss-security/2024/04/08/8) in the Android `apksigner` tool to the [`oss-security`](https://www.openwall.com/lists/oss-security/) mailing list. This tool is crucial to the validity of artifacts in the Android software supply chain.
+In early April, Fay Stegerman [announced a certificate pinning bypass vulnerability and Proof of Concept (PoC)](https://www.openwall.com/lists/oss-security/2024/04/08/8) in the F-Droid `fdroidserver` tools for "managing builds, indexes, updates, and deployments for F-Droid repositories" to the [`oss-security`](https://www.openwall.com/lists/oss-security/) mailing list.
 
-> We observed that embedding a v1 (JAR) signature file in an APK with `minSdk` >= 24 will be ignored by Android/apksigner, which only checks v2/v3 in that case. However, since fdroidserver checks v1 first, regardless of minSdk, and does not verify the signature, it will accept a "fake" certificate and see an incorrect certificate fingerprint.
+> We observed that embedding a v1 (JAR) signature file in an APK with `minSdk` >= 24 will be ignored by Android/apksigner, which only checks v2/v3 in that case. However, since `fdroidserver` checks v1 first, regardless of `minSdk`, and does not verify the signature, it will accept a "fake" certificate and see an incorrect certificate fingerprint. […] We also realised that the above mentioned discrepancy between `apksigner` and `androguard` (which `fdroidserver` uses to extract the v2/v3 certificates) can be abused here as well. […]
 
-Later on in the month, Fay followed up with a second post detailing a script that [could be used to scan for potentially affected `.apk` files](https://www.openwall.com/lists/oss-security/2024/04/20/3) and mentioned that, whilst upstream had acknowledged the vulnerability, they had not yet applied any ameliorating fixes.
+Later on in the month, Fay followed up with a second post detailing a third vulnerability and a script that [could be used to scan for potentially affected `.apk` files](https://www.openwall.com/lists/oss-security/2024/04/20/3) and mentioned that, whilst upstream had acknowledged the vulnerability, they had not yet applied any ameliorating fixes.
 
 <br>
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/013d861f30a93f5332fe8a5cbb69edb8cd35b119

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/013d861f30a93f5332fe8a5cbb69edb8cd35b119
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240509/65479e33/attachment.htm>

More information about the rb-commits mailing list