Your message dated Wed, 15 Apr 2020 18:48:39 +0000 with message-id <e1jon5t-0001xn...@fasolo.debian.org> and subject line Bug#884095: fixed in diffoscope 141 has caused the Debian Bug report #884095, regarding Correctly identify Android APK/DEX files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 884095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884095 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: diffoscope Version: 88 The Janus bug for Android works by making a valid APK file that is also a valid DEX file. https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures Diffoscope sees these files as different file types, so there is no way to imspect the malware payload. Given this and the issues in file detection in #849782, there should be a way to force which kind of comparison that diffoscope does. Something like --force=apk would solve both. There are two example files attached.
HelloWorld.apk
Description: application/vnd.android.package-archive
Description: application/vnd.android.package-archive
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: diffoscope Source-Version: 141 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of diffoscope, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 884...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated diffoscope package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 15 Apr 2020 19:15:42 +0100 Source: diffoscope Architecture: source Version: 141 Distribution: unstable Urgency: medium Maintainer: Reproducible builds folks <reproducible-bui...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 884095 Changes: diffoscope (141) unstable; urgency=medium . [ Chris Lamb ] * Dalvik .dex files can also serve as APK containers. Restrict the narrower identification of .dex files to files ending with this extension, and widen the identification of APK files to when file(1) discovers a Dalvik file. (Closes: #884095, reproducible-builds/diffoscope#28) * Explicitly list python3-h5py in debian/tests/control.in to ensure that we have this module installed during an autopkgtest run to generate the test fixture & regenerate debian/tests/control from debian/tests/control.in to match. * Drop unnecessary and unused assignment to "diff" variable. * Strip paths from the output of zipinfo(1) warnings. (re. reproducible-builds/diffoscope#97) . [ Michael Osipov ] * Revert to using zipinfo(1) directly instead of piping input via /dev/stdin for BSD portability. (Closes: reproducible-builds/diffoscope#97) . [ Jelle van der Waa ] * Add an external tool for h5dump on Arch. Checksums-Sha1: 73ee986a17ca0b294464505240e1d62a76bcdab9 4838 diffoscope_141.dsc 6832fa54e032c352e966c9798523c9b2ef843394 977956 diffoscope_141.tar.xz 58cd8c21328787bf800184c3207bb03bdc6256b7 27073 diffoscope_141_amd64.buildinfo Checksums-Sha256: 7af1202d7e2cf73b2105d821054ecf169fb8ea4531e8a01a0914265b37bb2199 4838 diffoscope_141.dsc 2acb76ac76a3199c0479da7e7bb7c3f71ad6aac81a10d7595d2e67b9e812c836 977956 diffoscope_141.tar.xz 29de217954f29c4834ba68fc67e0d512f2559a213380beddbf456bf132c2f70e 27073 diffoscope_141_amd64.buildinfo Files: 24f8a18993f6c1a200efd90b9bca9dd6 4838 devel optional diffoscope_141.dsc 7ad978242a1772937580ee3216036c0e 977956 devel optional diffoscope_141.tar.xz 178ba9d613467cdd2bfcc63c97f1fa00 27073 devel optional diffoscope_141_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl6XVBEACgkQHpU+J9Qx HljqOA//eFXQ4nJTTj7QPLwgJu2lvzSUnsxK0KR0fhtBkGAWATz422gUmT7XMF8v xG5yE9URuXEreudKGIZ566MU9zli5VCgJ34sS24qZrxmB5/t+Mx1f/ygftmBvctM YZX85z4dKTKjzDQeBT5f7KF6f9RaXs8jkF3hYN1Tp7s17y4P4akoO3dctrCejxuh Y8nhE2cSf/fUwKhk5num+ELHPk9n+wwoKFMbgi5OzX13rYS9+NXFpZxtfWjjN9W6 wLtVWAo/XDU2HMb3xN9aZwgcoG8Rn06X+D0+hSszid6Cws5yvVzoM/UA62bDXmSQ tdKf/hoDPMDrtCCwoWWkLMGnZ/XhZ+S6P9HklKSXIbjiUYXgEhPirMKwBWRzHcHm z/OC3RZwcXn+9ObgbYSuRD7ZfGt9/5+c/Usdls/QYfJK5WttWgkqPhadecfVrExs RnsOktsv4QN/QK1Nt04GE+PTWIhaEj3EjGL17dti+EK5Q/EW/4qoNIBCYt83s0EQ EshdTnpKz1kxLwJ16A1RGWn9VSEQ2RmOQxgp14pCxqN3qidqK0bfkAk3tyZPmfjy bja0gWSCdmuiwdvu3CHot7helFGgP9bEDkttc+YzmqvNo7cjoS9GfnuVzSFTTE/a s3jfSYvFNRyJrp3+aIT094MKn2eX5dFl8EzvuN1uJjt+f9iOQHY= =03aS -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
