Skip to content

security fixes for Janus and image metadata exploits

Hans-Christoph Steiner requested to merge eighthave/fdroidserver:security-fixes into master

The Janus vuln that was made public last weekend inspired me to do a little cleaning of some possible attack vectors:

  • Janus-style two-headed DEX+APK files are rejected by fdroid update, there is no legitimate use for this.
  • all KnownVulns are logged as warnings to the console during fdroid update
  • image metadata is stripped from PNGs and JPEGs

The image metadata is stripped using a simple method requires recompressing the file. For PNG, the recompression is optimized, so it should result in smaller PNG sizes on top, without image quality loss. For JPEG, recompression means some loss of quality. I couldn't find any Python code to just strip. If someone wants to take that on as a project, look at exiftool (Perl) or jhead (C). Those both strip metadata from JPEGs without changing the image data. We just need some Python code to do that stripping. If we had Java code to do it, then we could just strip metadata in the client.

I scanned https://f-droid.org, https://guardianproject.info/fdroid and https://apt.izzysoft.de/fdroid for possible Janus exploits and found none.

Merge request reports