From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 3 Nov 2016 13:14:08 +0000 (+0100)
Subject: check all APKs for old versions of OpenSSL
X-Git-Tag: 0.8~141^2~5
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=98297278bde9df5945c6fce59567b00a792b5f86;p=fdroidserver.git

check all APKs for old versions of OpenSSL

This scans all APKs for old versions of OpenSSL libraries that are known to
be vulnerable to issues, or fully unsupported.

This really should be implemented as a per-APK AntiFeature, so that it can
apply to any version that is vulnerable.  Since AntiFeatures are currently
only per-App, this instead sets the AntiFeature only if the latest APK is
vulnerable.

Google also enforces this:
https://support.google.com/faqs/answer/6376725?hl=en

apk['antiFeatures'] has the first letter small, since all build fields
start with a lowercase letter.  app.AntiFeatures has the first
uppercase since all App fields are that way.
---

diff --git a/fdroidserver/metadata.py b/fdroidserver/metadata.py
index 986d240a..a48f48c1 100644
--- a/fdroidserver/metadata.py
+++ b/fdroidserver/metadata.py
@@ -499,7 +499,7 @@ valuetypes = {
                    []),
 
     FieldValidator("Anti-Feature",
-                   r'^(Ads|Tracking|NonFreeNet|NonFreeDep|NonFreeAdd|UpstreamNonFree|NonFreeAssets)$',
+                   r'^(Ads|Tracking|NonFreeNet|NonFreeDep|NonFreeAdd|UpstreamNonFree|NonFreeAssets|KnownVuln)$',
                    ["AntiFeatures"],
                    []),
 
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index fcf9c092..f18cf49a 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -440,6 +440,34 @@ def sha256sum(filename):
     return sha.hexdigest()
 
 
+def has_old_openssl(filename):
+    '''checks for known vulnerable openssl versions in the APK'''
+
+    # statically load this pattern
+    if not hasattr(has_old_openssl, "pattern"):
+        has_old_openssl.pattern = re.compile(b'.*OpenSSL ([01][0-9a-z.-]+)')
+
+    with zipfile.ZipFile(filename) as zf:
+        for name in zf.namelist():
+            if name.endswith('libcrypto.so') or name.endswith('libssl.so'):
+                lib = zf.open(name)
+                while True:
+                    chunk = lib.read(4096)
+                    if chunk == b'':
+                        break
+                    m = has_old_openssl.pattern.search(chunk)
+                    if m:
+                        version = m.group(1).decode('ascii')
+                        if version.startswith('1.0.1') and version[5] >= 'r' \
+                           or version.startswith('1.0.2') and version[5] >= 'f':
+                            logging.debug('"%s" contains recent %s (%s)', filename, name, version)
+                        else:
+                            logging.warning('"%s" contains outdated %s (%s)', filename, name, version)
+                            return True
+                        break
+    return False
+
+
 def insert_obbs(repodir, apps, apks):
     """Scans the .obb files in a given repo directory and adds them to the
     relevant APK instances.  OBB files have versionCodes like APK
@@ -639,6 +667,9 @@ def scan_apks(apkcache, repodir, knownapks, use_date_from_apk=False):
             apk['features'] = set()
             apk['icons_src'] = {}
             apk['icons'] = {}
+            apk['antiFeatures'] = set()
+            if has_old_openssl(apkfile):
+                apk['antiFeatures'].add('KnownVuln')
             p = SdkToolsPopen(['aapt', 'dump', 'badging', apkfile], output=False)
             if p.returncode != 0:
                 if options.delete_unknown:
@@ -1109,10 +1140,6 @@ def make_index(apps, sortedids, apks, repodir, archive, categories):
         addElement('marketversion', app.CurrentVersion, doc, apel)
         addElement('marketvercode', app.CurrentVersionCode, doc, apel)
 
-        if app.AntiFeatures:
-            af = app.AntiFeatures
-            if af:
-                addElementNonEmpty('antifeatures', ','.join(af), doc, apel)
         if app.Provides:
             pv = app.Provides.split(',')
             addElementNonEmpty('provides', ','.join(pv), doc, apel)
@@ -1123,6 +1150,11 @@ def make_index(apps, sortedids, apks, repodir, archive, categories):
         # doesn't have to do any work by default...
         apklist = sorted(apklist, key=lambda apk: apk['versioncode'], reverse=True)
 
+        if 'antiFeatures' in apklist[0]:
+            app.AntiFeatures.extend(apklist[0]['antiFeatures'])
+        if app.AntiFeatures:
+            addElementNonEmpty('antifeatures', ','.join(app.AntiFeatures), doc, apel)
+
         # Check for duplicates - they will make the client unhappy...
         for i in range(len(apklist) - 1):
             if apklist[i]['versioncode'] == apklist[i + 1]['versioncode']:
diff --git a/wp-fdroid/wp-fdroid.php b/wp-fdroid/wp-fdroid.php
index 4d62f0b8..f225232f 100644
--- a/wp-fdroid/wp-fdroid.php
+++ b/wp-fdroid/wp-fdroid.php
@@ -695,6 +695,8 @@ class FDroid
 		$antifeatureDescription['UpstreamNonFree']['description'] = 'The upstream source code is non-free.';
 		$antifeatureDescription['NonFreeAssets']['name'] = 'Non-Free Assets';
 		$antifeatureDescription['NonFreeAssets']['description'] = 'This application contains non-free assets.';
+		$antifeatureDescription['KnownVuln']['name'] = 'Known Vulnerability';
+		$antifeatureDescription['KnownVuln']['description'] = 'This application known security vulnerabilities.';
 
 		if(isset($antifeatureDescription[$antifeature])) {
 			return $antifeatureDescription[$antifeature];