From ca50adb2e5efa88e6ffea6a5cff84939e477bf22 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 14 Dec 2017 11:06:22 +0100
Subject: [PATCH 1/8] update: switch tests to using standardized setUp() method

---
 tests/update.TestCase | 36 ++++++++++++++++--------------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/tests/update.TestCase b/tests/update.TestCase
index da573714..e49e1bf0 100755
--- a/tests/update.TestCase
+++ b/tests/update.TestCase
@@ -32,6 +32,14 @@ from fdroidserver.common import FDroidPopen
 class UpdateTest(unittest.TestCase):
     '''fdroid update'''
 
+    def setUp(self):
+        logging.basicConfig(level=logging.INFO)
+        self.basedir = os.path.join(localmodule, 'tests')
+        self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
+        if not os.path.exists(self.tmpdir):
+            os.makedirs(self.tmpdir)
+        os.chdir(self.basedir)
+
     def testInsertStoreMetadata(self):
         config = dict()
         fdroidserver.common.fill_config_defaults(config)
@@ -117,15 +125,13 @@ class UpdateTest(unittest.TestCase):
                 self.assertEqual('Conversations', app['localized']['en-US']['name'])
 
     def test_insert_triple_t_metadata(self):
-        importer = os.path.join(localmodule, 'tests', 'tmp', 'importer')
+        importer = os.path.join(self.basedir, 'tmp', 'importer')
         packageName = 'org.fdroid.ci.test.app'
         if not os.path.isdir(importer):
             logging.warning('skipping test_insert_triple_t_metadata, import.TestCase must run first!')
             return
-        tmpdir = os.path.join(localmodule, '.testfiles')
-        if not os.path.exists(tmpdir):
-            os.makedirs(tmpdir)
-        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir)
+        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
+                                       dir=self.tmpdir)
         packageDir = os.path.join(tmptestsdir, 'build', packageName)
         shutil.copytree(importer, packageDir)
 
@@ -387,10 +393,6 @@ class UpdateTest(unittest.TestCase):
             self.assertEqual(apk, frompickle)
 
     def test_process_apk_signed_by_disabled_algorithms(self):
-        os.chdir(os.path.join(localmodule, 'tests'))
-        if os.path.basename(os.getcwd()) != 'tests':
-            raise Exception('This test must be run in the "tests/" subdir')
-
         config = dict()
         fdroidserver.common.fill_config_defaults(config)
         fdroidserver.update.config = config
@@ -408,12 +410,9 @@ class UpdateTest(unittest.TestCase):
         fdroidserver.update.options.allow_disabled_algorithms = False
 
         knownapks = fdroidserver.common.KnownApks()
-        apksourcedir = os.getcwd()
-        tmpdir = os.path.join(localmodule, '.testfiles')
-        if not os.path.exists(tmpdir):
-            os.makedirs(tmpdir)
+
         tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
-                                       dir=tmpdir)
+                                       dir=self.tmpdir)
         print('tmptestsdir', tmptestsdir)
         os.chdir(tmptestsdir)
         os.mkdir('repo')
@@ -424,7 +423,7 @@ class UpdateTest(unittest.TestCase):
 
         disabledsigs = ['org.bitbucket.tickytacky.mirrormirror_2.apk', ]
         for apkName in disabledsigs:
-            shutil.copy(os.path.join(apksourcedir, apkName),
+            shutil.copy(os.path.join(self.basedir, apkName),
                         os.path.join(tmptestsdir, 'repo'))
 
             skip, apk, cachechanged = fdroidserver.update.process_apk({}, apkName, 'repo',
@@ -475,7 +474,7 @@ class UpdateTest(unittest.TestCase):
 
         badsigs = ['urzip-badcert.apk', 'urzip-badsig.apk', 'urzip-release-unsigned.apk', ]
         for apkName in badsigs:
-            shutil.copy(os.path.join(apksourcedir, apkName),
+            shutil.copy(os.path.join(self.basedir, apkName),
                         os.path.join(tmptestsdir, 'repo'))
 
             skip, apk, cachechanged = fdroidserver.update.process_apk({}, apkName, 'repo',
@@ -539,11 +538,8 @@ class UpdateTest(unittest.TestCase):
         self.assertTrue(foundtest)
 
     def test_create_metadata_from_template(self):
-        tmpdir = os.path.join(localmodule, '.testfiles')
-        if not os.path.exists(tmpdir):
-            os.makedirs(tmpdir)
         tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
-                                       dir=tmpdir)
+                                       dir=self.tmpdir)
         print('tmptestsdir', tmptestsdir)
         os.chdir(tmptestsdir)
         os.mkdir('repo')

From 5ce950e748fc064fe27d92eb81c0456b6a7b9d1b Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 11 Dec 2017 17:56:04 +0100
Subject: [PATCH 2/8] update: print warnings for all KnownVulns found

Some baby steps towards making the KnownVuln stuff more visible.
---
 fdroidserver/update.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 02382d2b..e548df43 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -500,6 +500,8 @@ def has_known_vulnerability(filename):
     http://www.saurik.com/id/17
     """
 
+    found_vuln = False
+
     # statically load this pattern
     if not hasattr(has_known_vulnerability, "pattern"):
         has_known_vulnerability.pattern = re.compile(b'.*OpenSSL ([01][0-9a-z.-]+)')
@@ -524,14 +526,15 @@ def has_known_vulnerability(filename):
                         else:
                             logging.warning(_('"{path}" contains outdated {name} ({version})')
                                             .format(path=filename, name=name, version=version))
-                            return True
+                            found_vuln = True
                         break
             elif name == 'AndroidManifest.xml' or name == 'classes.dex' or name.endswith('.so'):
                 if name in files_in_apk:
-                    return True
+                    logging.warning(_('{apkfilename} has multiple {name} files, looks like Master Key exploit!')
+                                    .format(apkfilename=filename, name=name))
+                    found_vuln = True
                 files_in_apk.add(name)
-
-    return False
+    return found_vuln
 
 
 def insert_obbs(repodir, apps, apks):

From bde0558d82eb68c39d6c95eb80ed9c2eddea6ae6 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 11 Dec 2017 18:36:21 +0100
Subject: [PATCH 3/8] update: reject APKs with invalid file sig, probably Janus
 exploits

This just checks the first four bytes of the APK file, aka the "file
signature", to make sure it is the ZIP signature and not the DEX signature.
This was checked against the test APK, and I ran it against some known
malware and all of f-droid.org to make sure it works.

All valid ZIP files (therefore APK files) should start with the ZIP
Local File Header of four bytes.

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
---
 fdroidserver/update.py |  11 ++++++++++-
 tests/janus.apk        | Bin 0 -> 10067 bytes
 tests/run-tests        |   2 +-
 tests/update.TestCase  |  29 +++++++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 tests/janus.apk

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index e548df43..f90e4993 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -496,8 +496,10 @@ def has_known_vulnerability(filename):
 
     Checks whether there are more than one classes.dex or AndroidManifest.xml
     files, which is invalid and an essential part of the "Master Key" attack.
-
     http://www.saurik.com/id/17
+
+    Janus is similar to Master Key but is perhaps easier to scan for.
+    https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
     """
 
     found_vuln = False
@@ -506,6 +508,13 @@ def has_known_vulnerability(filename):
     if not hasattr(has_known_vulnerability, "pattern"):
         has_known_vulnerability.pattern = re.compile(b'.*OpenSSL ([01][0-9a-z.-]+)')
 
+    with open(filename.encode(), 'rb') as fp:
+        first4 = fp.read(4)
+    if first4 != b'\x50\x4b\x03\x04':
+        raise FDroidException(_('{path} has bad file signature "{pattern}", possible Janus exploit!')
+                              .format(path=filename, pattern=first4.decode().replace('\n', ' ')) + '\n'
+                              + 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures')
+
     files_in_apk = set()
     with zipfile.ZipFile(filename) as zf:
         for name in zf.namelist():
diff --git a/tests/janus.apk b/tests/janus.apk
new file mode 100644
index 0000000000000000000000000000000000000000..ed4eed96c01647047e6420b778e885236b833c67
GIT binary patch
literal 10067
zcmds7cRZHe|G#c~hsY>fX1PUVB-wkD@yNVy5pLtQvMEAYS(%~8C>hx+g~*odogyPE
zB+2hwo_wF4e$VUo`@LSzf4{@~I-m17=QGYZpL4G3I@gUtdyxnVi$LW&@-nT&;u(de
zoqU4|IwHqOt=HOGwQKaaA;=kmAg?RusX=y_oN*zD7Emys7@!$|0AK;&C=mfd5CK8p
zA94m4FB}Mp0XdBO0C@mS0L=j706PF=pbZ<qMF2AZSjGn+0N^G-BtRBG2|ztSD?ldz
za0kKzzz2Z+AOwKz!@iLKkp2YBgA*A5Ob-BA@}KnhFZA3m^ztwC7eE6y4-*1dr2rH@
z1ek|80-`$1@gaDiU_anQ@UtBO@R0Jb{HKm1J%36=kOkZcxc;IY#?I{$M4{y5gtEGU
zX7zM(bwIH}bjoN42PZ?gAY<)j=V9k|L*Tllhb4qifljDfVo<J5b||E!vorFjS`uRT
z58v7e<A%n#A?4uQ%S{qG{+}u*EK=4TgK|Ls%Ji^9dm^uZ%dbj2?NHayZb*Hg;Lj>n
zb!#U_B-+c;(b)lw{O=A*LiFmek4Ohg%r&H(t);6T+Ql7>u?DsfS0J1#Dgf#bkrPJF
z6>aH;hN!WY9%z&b2J2=C8tJ*gJPIt@?a*z^p;d?kl$Bg9;Q@dM0S&tY;knt`VIe%&
zZ7_yMV+-f-_`*3nyl@W337ivx*`R=E5tI~{OmGpj1STfZfDivc&^I6iw{wOk479=n
zT3|gtz~uzUomdf&5X6qahn!h)AU22*NMTs<!1XwY0SqhdVVMxb0URL+1b$E;-dzF$
z#3K+CaO}YewgV?PKUzz$jidDh`+Kye;J7|oPcRRbf!7oc>z}glnnD0y;dXFL;{rac
z3+@NvCrt(`1T-vb0n?y8Ov7s#PTFd?c<@>wg4zjR`9&^X;tK*b&46_raAp3CFAYnK
zoedi6CgA1hkgngMNh3oeC3TFxmBGfV&6?g!*6Mt3aG&kCNSLbr`M}vIGN+fX+STRU
za$G*VK|0T*R5`B%hpZpJ>$1|Hpyuhl=pmx_Mg8^Q=d_~5w>udU2JW@9$}?ETV(sSJ
zoPrUfTaycPVf@V(U6kwCCn=r6IcATqhtQV=5?e)xaYlt%&z@XQ|0?sHUFh5ku8Oc|
zc`k}4l&fLSnzh(tAq+LYe25r(RJgEPaTH0xaI4<3bxMzj(3bf}?Uxz8?WGf3WiQ&8
zE?%O=pPLaX4c6GeD60o+nV*&MFxXUCzGu$X$nPXjF}yR|KWmRqs6QE>cXcLpWNN;W
zM5JN_hc5ZUhQNCQf%PKYskgi(PK2|L41Uorr)`#tp9)s+tv+^VdzjGvOsI%c7|*+n
zXGlPl-Z-nDMhX-62We+*MMWR>dSM3j!QR}3<_G*fb2lp6FUGZ%nk9&FwQCmBy+WHN
zysJ~R(ajv7$jfqTB`#OG+&%qfR(1vZZn(0crre(9nss6W-MLpJ58h*Aljk{XBusPc
zKAu@KYdx!zV!6u99OIcM(lI$6!0+v!n0GF^*4KPGmBTEEl!`X#z9heRM{`_UvV_|w
zUOsoiN`-Ri?8WDE{2{liII#L7^#?J2=DuRObOnh9XY&Ho-X%BQ<jptR@>j0%(!{Vn
zig5U*9WX1<D4>#F@Xc*;qs*1D>aIbL%i!Yzl%X$<1~-Q{1&O<`P}z!JpXmIYGC9xu
zr263Q6fg4nTvnqkzOX~lvztl-sUOE}=I{v2OnC3+FGd+(iEX1qvr}|LP@QPfn|PBy
z_-1p}Ab@r))$mT5x-a*^==8e;>&7@w-3Lr|69rDZ%<+jI^~bn`<?A#8dfHSLU2b%t
zM=E?w8w{~e9VFdMZ*RM3b?2u<Yp!tEd<|o`M4fWyWZDMv5Y~~{Hve3aTEe@pW!_{R
z^m3m(?3}KKnhEv{b;$QF4SG+6nsLb^Ps%(~TH2!b9-*usB=W8|c{bE*Pu|y|(93UI
zADop$+Sj4fyY$xEFVw6dD5KE6YyOT2(sDs$Xffo~`9|fADU7Se%hTlDvg%d(k@kj9
z%`30A-rpx*tcdlO?G|)0!yP@yn<O>2*S6nHYP7-Uu;D><g_ds@m)JC2G=FBhHZS`{
z@%dy}7G3A&?vEFzeEnIAH7`li4+}qFp-5A^61dY-B7L-Cp~Dq>0#X;N1UEAnr@)GJ
zMPrdDS4&SzE3h@&S(`gpx?`+u(XIl{m}}wMno8s(jPP<NS5cPN1^HzdMDXTPVCOOk
z`2H&LGWuSl6RAE=&<1|5r5no!FYSm33%()~CL<xsWZep4q}-P~E2^5W7^<XuJp78R
ztg?NiqpV1OZ%kt1^S(zXRBkB`@DY>9-5tDcm!B0GtnGZ68CU4;rp5hapViL#opJ28
z+0xDui~R#(PqX<nNzadpHmCXbmfd&EJfE(9lWJ(3GWlachk4=>8{M<37)Z4G!xtaV
z$Ois=vx@wcsVx)NYvu8$6WZ@HSkc=MBtA==VmH5wx*wj$Ucg=;rWgAtjJH}Uyu+~A
zH~o(i)IDme_Ff{!*u2*Gm+?2}Z_E2<wIZ+3)@+sBk&Qz{oceTZY)Ae4U`A=(`7!S%
z#~y**vD>+fNlpTO?{kC#+XL%QeJ5NJK4mSVzzVT%-!&ZT{ieNs8ajBNsFg(i_yz)6
z8;)v6njh%C$7+e*44=D3C)V7;N04`4C9tsI*fB?X+we}+So_@O&-P~y`h~wQuU3ST
zs`J)AjP**VeMQNx9X4{|wtA8M)l1YqYA?83)BUbFd@9#!W}2GpR(9I;Vv<4NY@?Ld
zsYMJw(RO?xqPF12_+Gc^7&6nRV?0GNw8Rj6vFU+piweufAmW~HAM#0GI3zG~gdh)o
zRDXOMu%*7Y6HJ%Qz-@HyvV8SWk;xC@hRQ#xymQ)f{SxZzj4e}h3!c?|;MNOZ)~dR}
zqD}L{dMLM0Ygf|{r*rw~>h7oJR;8V0YHo7PwONa$MYh2eI}XHj)O;?+=Sz8i-NV?Z
zE9+g5oWv0BDBZ&N=^b14t@<<iWRrr{8~Gd2hEq(PCiVjRJAN!Qdg2A`scb2NEUbx7
zwomilK1EI#B1tf=cuO_Xv8=T)ClJX>!!Z1iQ1*{ED=#KyerR-g9(YIyuzjlYSx;0p
z2v0bRskc47)FYmd@G1yRuH+mnt%y0#(5e6C!h@6Z8FabB_G_tj_$(4UT_*$k9a=(8
zdYIB%sV3EnnFYt~hSzfGzMBo*Z2daQl16$tnFiU<)Kij8WoE%CcFAWZ-(hTQc744~
z{PBs4QpP0@@x`PAge{8w3QSo1rF5>!=TM@i+vzw9KAt~j?k>tAX3d~Oj_h6gTt$Bt
z5gKe^<GZ{Z=e1F8NJTZ-&{<L-n2~WtXMHmkkFeRJ<@8Lsjl}JEf&g)a0@uW@q4b`U
zN#qF1@mXy}D$8b4IV(;Lc|Fauw>&eJy{tULZ%DILA3rXB_Ibhc;77QKX$_SRXAWFG
z7}vRs^kxgAg{_CwL%3ShxW9+$1;2OX_VE|7D=$n!yudR^#8X=og7(Ap`Nn)de%HD5
z{PWzTY_><|!`4TNGt-lgJ%#3&uBS-dmC;4Jzj7JWw!&g9>hDdX#4^K8_bxsoF0`rM
zv!<hd=N+-%?9igm5H3<w0Zm+ZA!%tYxv^!A;b5bo&`tOK6f=%$Ww3r(@kunH8o_De
zY{qG%8#X$$mP{0|+3>dJ%I<W30rjhp`M4dat^mhmo9w6Yd_)x%P@331#%lsBAN?Lj
z&z!r@fiU8-P)oN)2Qqcx6*bCC9=j~fVY{1Lh%{1SNKh1ezB%&}+qx26Tuv*bL)BC_
z5NE`L74B^6*t^?4NE1+n;Vsgv?n0;JzDc&uV0vr7jAe07k08z6M^LJz4Te2Ab#_gO
za=&N1GIpw)sGmnL&g8RXVWZ$33oNHg_F0GVk-3S&+q{zZ{wS0aG7?#4Xe%TRi@>Yl
z>-_`giU5@+BgO46sRQ?I6Tg4mCB8*)Vx@|!8xQ@yyUj=IB%2BM_Ck#CS~rib0@}|j
zh*cmQ?=4<|RAi<tYJiZ0`*yB4IoCCQk1l;99n?+l@%^mQX9nkHBk!LX!=s{UNwzk+
zt6IJz;l}wwpRKil+Jbir)q3K1SnwHH*(S2biq7c?7n)0HB=y30)!dzk^AO4@56Oq3
z_jZ!+5B8iPkStZNuQ%%MC6({MlMX`(4s0>s2~-n(P5LFfj8P`1GFg?_)WrG8B_0Uz
z%CpOXV6t<K$L&OUBVN@g0jF|3q|DIAp)uKZ;8p@bbqtd=@|mf`J9FRhR0yCzarwNV
zR|U9vmm|Nks{|&U`5a1xr@lFNbKuT7B1nZZrXP~$>65gy8d)p$;+uA8B#{@6FrmK5
zaF4oK2D%)4y0E44*m3=pF8$~JHYE;$b2N%WM1zWbYS+%xBVvk379fFF1lmE5#A&1^
zA?0l`W1KnYn^ockC6&YpS#x4RVqRm}xK+CkXSWg|*9bE4AAGFtW~{Xr<ywSx@&bJF
zBQu2psm{}>zY8OMj!;ZwSG&W7kik=`pG~(U^2&3(8~`aR_M%eGR()ZU{U(`%)4(Og
zbn-G&z{(DeALJaCR~<ub$BOKIOEf4S))EIPiF)zv8P~nzn|6cPQLNXg&*xLj;eT6M
zyFch2%X#_M^kT8OYsL_nZ2EG?^STQV=L*!zebY*HDl#sLq?jJ!VP0eBOpfcL8(AeF
z%zT-rs;nb&vdN4;?b~Kx6cvif0OFC)lOQXOD^jz&d?Alow||sqTT?amiI(8=Dr(Bb
zcUOX55+^WBewgZK^Q@0#O}uxD=Ba4#;K{%S^<vTBJ9vSw)-(mX&J;WAsu8#gKJs%6
zY(=rP=I!51kMi2dPKby(kp?jh6I7Xu*9S7_l;X{Ch7UG7K+tocE^(P5rRF`<*|(5N
zoV6`3$^4?Nwrlp_DK2A?Febin>ozOfgfq?e-6&~oyA$<wc!Q-OBZQ`zP;&|ze~inT
zg*6%<BH(pxEjX8JV{#+a5HBr@B!te!X0%+iCS%`LwaO?b{y4i*QDVH*agE#*^kj5u
z>ixB-1n%gKy;UPpgOj?;BSXR0@7n5L@?JL)?2_znnz>GLDvgy$xQv%u)o1&$t@_93
zs;aNAGiRCTR;;F=hfv3*aM)`0?gTWCbsOE=Ek9lN>16@4{!-YNC$t$_0dr^L(T}Ju
z;+(IWPU|I#()gowsokze+#QiuV1oZGGeo@Mptp>siG>{>Qkc2%<z&E1b5nQbk_q<m
zu}7s(>_z51M;_LXPF*n|9P~)#7chQhC>_8n7b2*SGH~!3!nbs&YI+szB%}MrcyU0h
zG_F1MS=~|#ov2pY+nrlsyxC{Jgr};gtlt(VJ6E~?!STJ<d|vjw_S`I+M~|ut+{g4(
z^JLUj)lF`nh)AJ|%WgOFS=23{PsSup9MCTL>qmMd-?vl1e4Br8ZbIn!vD2QxPZ{|;
zC_CbX!ebG$YcIAc9j2EmO<lgq=XhTIWaRlRLj03#Az|9at$~^$KIY*>eU)=sPa=4o
z%2WHUE8XLJ74lfsz0<NkQYVx#i2PV%TLXiXm)ujOq6^7)47zZ?E!;V+K-o|-WB7e8
zK=hqVCR6BfBG;IMbf2X~VR@mQU5cc<$hv{~{`A0slbMmzi<?UKj#-E|`6$guMJifs
zR;YXqShyfg7ejDAn(GW-x7Db48!2Z?c5Jrw{sX@x?u?PpuuR;q{#0yuN^8vXc!pCx
z+<2=*lQUQSw%lvSrUq|3*72(AAV7-U=BTVMbwpm+e=CPavt-?yzaw*|K&4<?LdS=#
z_CCTsc*OYqJ^RmdGY=YXVK)hze3E1q)CWDe2%0+lDL)3znA*^Xtd7sOOYik#F8M4q
z%D6UfXKreT*#vDEG%k*J7)EJ{N>7ehF+aKYZf5V`Hr<D(PG(&T$`1=ymAs!mq}ZL@
zUgbBLuZwn@SpKncupc1I>eX|vkF9m5dt-%M%XRN+G<97^)|<fhN#01mu7$~ic<iOM
z51VEqB|Fvk-6m^CbpsNLZ4@l_l?0|kwHlHtA2e?B2v3Y?d)&1&IBlhRHCo3Y`Od-W
z`_$df$1-MPUsniT%9%LVX+JJ2<o;v-np2&k!0uNjYpw6!-o1XK+9O?{-A%R{63_SI
zrov#oB`?RT7OM4l?~(=j^=_prLi58~^MML}(qmB$W8$Pl?4e@OxeqT2*i$D_XoTd`
zHL%ajADa{tcKzISET&&WB=&)4w7Buy8ijL4Ql&aeQt|L!-Q@1^Qv5VILE?^+wV3o2
zN!7~j+&mi+nzU)O*!i6z<Bd1Td!zg*6VJV!O|K??gC?9DG~4b$(z?sl=*=?e;V~Vh
zmy3;GT;`>@jCXf^I+yjh7v{)=@7`KDkgDA@mlhjhcJJ6gKfoT(FvnTFSi;#vmPRAA
z?knQovm2Q(B=Tm$GwBp2ILl>U`xN63DrdX&4{pyk+m+UuM!vR|w^UA+iA;>zOm*Ep
zaG-c`c31E5TXO@3`gI?ICG!I)aG{9BWT_!q$Rp1BBg+?yBwt&G`o6by93dqqr5&$V
z=Ai5;b)TO2;b|nY_<pwgMR4!9qr@(L0pY6E+$cfW6yLGeDikcp=y6sFpT|#q-qM9~
zZL6D4Ikb#*c${K;;H$yz{&MBTGr2kC`eWa!%bBR#M}ssxhCR<bNThCZp1eSe*`bTm
zJWxBsGBSkhTs4m9I~h@M;~Kv6jO34R`_De7G!!@(&~d+e+uR=G$u3|xpB5%Ym1NE2
z!p@HM=NJqRO`rR6Rde1dTSdb_<K3D36fR+d4o923l;lCjT$_k|lgG~$`aM=hwaAav
zdmI!^L|-JDW;8ruGHJe*GIfAEn^Kd8$=e(QFJzF4f~I_ttVQtOU-$-J<PlMVQy~}>
z;3x;Y@Hx4=TBET7mabT9aQ;JfSOuT)Aix`;7$D&Dp`#>tM1cGvfEPdoz%;-q$Q43E
zSO^KB0A&ez0$4!~fQN*xLGGaB3Tm*B%TF2&34pU;45<5`W$hqq$Q<ag1acTa+X9WQ
zzsNHE$F3LT2-+cmW%Qx7Bm3r{<P84IfqmFRYasn+Tlk#H19F038)#7PcIY|gu#GF=
zIs=X!sK)>wsUT(0#sT~}L52XXfI>m6kRH(P2wK8DJxn;Ph)(cM8~_T|pq(SIh6eV2
zYxQT_|L0d$5I^v_dL78&g9A9hag_#gn17VSjtG#$XPvA7d;l<C5#R~{9vDHl!x@6l
z8-I^6_^kG5PVqrY*Tb2-0p#!xX91oyS5P7Va|_S1-OtFwKP=z)IeV~gM!)z91R#0%
z@-s1l{5*gOKny@8Kq){sz%l^n9QbbV&(RLo{BtbBvGu>lECexteqj!K4o55s#Osli
zIp`xC<8Z{=fxg%s#w{G{aE~oPEgat%z=g-%`LO?vfbR;yBSiKa2VN&|ojs@{|8I4$
z_G@4j!n%k+yFXVJ22hTND}V@+IppaduGBwyI5?Dt-!Z`O945F-4=DJ&8OBjU;HV$!
zJ>u(wieF>nsNMfH2glWiXW(#qu;U$`TEl1Jupe+4&S76@Kn_<P`3L)9@e5BI(Er8{
z*e2X3*yds1e%d_xt^lea*d}=TKKzCN`|)pWQi9$bb{N(T01^&tALhY*W(7ICx5GaC
zo?u_#HF{KU3g~~+e|R2P0R#cyv4CxYoT)oN?Eo&rc783xM~c6e;l1Lp{LJUzXujY!
zKl^n!b{3#~#QV2n2mACBxUjEBHeo*wZ35;|j2!X)txb5o;O{tMIEP_*sQ(ry|6laO
z--7<P^s9b2288ht2+&6a0>TeC|C7c6w8&2y%u2w~!^5B7cL)VdI27UV1-*yAj#@id
zVzJ=S0fqKL$JII=m!WLEwu*j_*CAGV<Gkrt+^R68n>v(Ltcj*nsF;M0YftaVCDp!~
z9FC%-rebC5dnAAUQFaJ3g8Gqai2TjGJZ)P_4W7KO+aBqs-l#ODkAT!OnI0IehMh<D
zr#|)6x@&&H|3{wF<d0IiYR}1ln#Q%SeWayfy6lXe0{SWeu`2o;w9+^gLAV~Drul=#
z6`N7ap#!X=sEGM#+ON>1U?+=X@iACNQyeu5qQNHIVnjwz(zJ*dX+;x7;3?iXho=uS
zdy+;~EmZXeMsv##7<{6yAJ}&vWNdn3e>lnQGw+^DGwJR=Us@g6R?<1D|4xFZjISr?
zWki&)M4q*6Eo$+5hvlh=8!2YfI`LHxAF<$<xm`@1xEEI_MMWW3;=f%a{Uy9SZ*u#6
z=7U>7^N;f{7-M?d_q~we_|YLl@g8Rw&zCjElhxVVyHKwCI@52&4mHIfg-C9q1?p0H
zG84x=kj7hIhs`xOJ~N#d&OGjz-*@M`*NA=5*L?+lr^we*X)O{cH<L__7Ea7|HB!ug
z@J9^cQ!iFu&a)&8{Ku+n`F1z-`7HhGS3ADx2O>YjoWAlBVXW)%*?%B_|7rfy97n_j
zom|Gk`1x9{Lh*^uw9Up9+po26<ky`+8RxMteQ(jetzoJ-zd%;T>rS4Mqc==jd!m(L
zJYYFxq%QCRt5f<ppZ8f?11`gf4=0(Z_8+_SD=8Kwb(%_#RGX#LF^y=27H+@sx1vqp
zo+|rPV6x#UxI%}PF<j}IG*;LxjXps9J>1^$E;#RjFoSQ%@CL1+pf7V)MN<)}A)~3H
zsGz4WprL5ct>Y9dNE15a<FByFq-~mZxs>z;QG2MRX7aiX?+U|9)jMaiH<px2&!#4E
z?@n@apUwuaEXm?LS5;;>UcXd)6zKM%b8YdVdiz&-np(O29lYuj6@rRn-qWRym)$~3
z*vY^0P^z~_<Vfea+f}Wn;6+vEy;<LmO)smT5AC~~w7c({^0?N&t@xVK*6uo;PNrjS
zTQbe5<%kBXEA<!X&2@zvg(9hIr;XGfOdw|E>Gn-Uw)*YkZud+#a%n{bSA_L{shHAA
zS@OoWi~r1(nvE&5u9KD+v%Ivo7wVe5Wh7iR-Wrv;=qxbkBoJD9)z$O9!>0NraVh5a
z$iEMkJD$6e6d0%;0C>0k&tS<Z=;{mTDLQs`V1h40Av021=X^+Io79v|1C^Uj>NoSG
z+T22Ly<io-nXNS?nyVQ1xqH?(AW#_RhFWZuT>MPR!sS?$r7G1N4^>wog|A7#^B69t
zY2U`c5>B;JGHN$Pv|j<`jO;XhgzXI3Ie{Y9rcZtr?2Ku8z7FD667=Fx<)4#pQ1Xqb
zV=1!iCKt$7pGAu9UdXz+Gn*|I`Elh=PXanGmBCI_#wM|L*OHyc-iVEfo-<2C^GD2p
z!3V4c;VazSv7FQ>^4DgMLTi_lP;nXcMfB3_G$sDBGx*GE1FzQ&iT|LU4^!p7S3g)|
zKwD#$j3gDE+sN6xaN(h0W#qG(p7NTUb5_)k&iHTnpF_H)u+)BNUsjC8=NL1%+M@Hg
z>~^$T+i<j|_D;m^#cl^{`eZN3wQY|pwpq)BcT$DFwoLtfs6~Q!*)6~}NCb9K_{ST6
zA8K7a8DU#18_V|t*EenVx;xsspJ#@DDwH|?R*6edQ4WKvDSE~6k_{K{6#`t$E%sJ?
zjk`$l6#54^B~v&yT#8&=CmM-!lgPbhuG1R_nRGUB3EnO(CKe7MI7vdk79?i+ayjY-
zuflFJZ>SXkJ1doqrCDBBu-bK9yPBXhv1eIXSwTS|Sy?5?`Ihlw&%(2Ua!L^KY7I@1
zo3RsZZEs$T4|iDf4z~{sx2<_azwUhCZHQj{l764&Sio1;ntD6Sidd|b&f8Y}#m4=&
zYPhEjlJeA&Cw2QI{g;~$-Y3O3Hrs@ykJknspltO5KJ2;~pF}fPTXk;~Zpm!Ctw<NG
z+eY;zRf;e>ZQOAsyXV2VPd)#AsIKCxEzf-1!zGF-zX8ua8^7ZByG5R-6+~8RB+Z4-
z2@45k<Fg6(UNsRmGpm)T7F-aw?#jPv{&1A@-pB90k9ItQiv|ve%M$0zXfB?=w%Mvh
zU7z|+0BN?vJ0!3%t(FrKVV}4!Aig`$AH4hWahwUU>xF{`VQ<Pc+liXNRF#f9-;zC)
z!yU?1KK)_G@_qNo+H57Q@OdW*`}Ddmdl%o1^iIt<DMZx1^kmR5{Ma=n)>OP6F7sZ_
z!dtMITXH(<6E3fKmLjg2^-Y=aMO@2}_0JtBk9cO<el@9t)zSKeq8WF#*C`*ajp0TN
zBll~vt6TQ8*KevURiLY@g#?s^J}>e7kl0df8i<RCrtsO`NL3JcbM<A{biik&gB*zo
zjYgwH{e&s<82gLZ5AL^At#o#mutJh<DFwq_qMSFvzxNv0bql6oYj?AgCU=n<+2B_f
z2pp2b_o;vW-35rrpNR<EssG_u7=J1F=g+`L;t*5=o<9DkkHWue`uq99UwR;@5Im#&
z{j}jP*?)e#_)B_$>2D7kzYG3;qxehEkoA}4`O9tNcMZSqo_}e$#rBJapL^-=(!XyA
fe@U;h|1J%-2W>Tc_&F6k*bzdFV7vA|4VV54kn;P<

literal 0
HcmV?d00001

diff --git a/tests/run-tests b/tests/run-tests
index 696bcd75..af29f471 100755
--- a/tests/run-tests
+++ b/tests/run-tests
@@ -9,7 +9,7 @@ echo_header() {
 copy_apks_into_repo() {
     set +x
     find $APKDIR -type f -name '*.apk' -print0 | while IFS= read -r -d '' f; do
-        echo $f | grep -F -v -e unaligned -e unsigned -e badsig -e badcert -e bad-unicode || continue
+        echo $f | grep -F -v -e unaligned -e unsigned -e badsig -e badcert -e bad-unicode -e janus.apk || continue
         apk=`$aapt dump badging "$f" | sed -n "s,^package: name='\(.*\)' versionCode='\([0-9][0-9]*\)' .*,\1_\2.apk,p"`
         test "$f" -nt repo/$apk && rm -f repo/$apk  # delete existing if $f is newer
         if [ ! -e repo/$apk ] && [ ! -e archive/$apk ]; then
diff --git a/tests/update.TestCase b/tests/update.TestCase
index e49e1bf0..db463a89 100755
--- a/tests/update.TestCase
+++ b/tests/update.TestCase
@@ -601,6 +601,35 @@ class UpdateTest(unittest.TestCase):
         self.assertEqual('urzip', data['Name'])
         self.assertEqual('urzip', data['Summary'])
 
+    def test_has_known_vulnerability(self):
+        good = [
+            'org.bitbucket.tickytacky.mirrormirror_1.apk',
+            'org.bitbucket.tickytacky.mirrormirror_2.apk',
+            'org.bitbucket.tickytacky.mirrormirror_3.apk',
+            'org.bitbucket.tickytacky.mirrormirror_4.apk',
+            'org.dyndns.fules.ck_20.apk',
+            'urzip.apk',
+            'urzip-badcert.apk',
+            'urzip-badsig.apk',
+            'urzip-release.apk',
+            'urzip-release-unsigned.apk',
+            'repo/com.politedroid_3.apk',
+            'repo/com.politedroid_4.apk',
+            'repo/com.politedroid_5.apk',
+            'repo/com.politedroid_6.apk',
+            'repo/obb.main.oldversion_1444412523.apk',
+            'repo/obb.mainpatch.current_1619_another-release-key.apk',
+            'repo/obb.mainpatch.current_1619.apk',
+            'repo/obb.main.twoversions_1101613.apk',
+            'repo/obb.main.twoversions_1101615.apk',
+            'repo/obb.main.twoversions_1101617.apk',
+            'repo/urzip-; Рахма́нинов, [rɐxˈmanʲɪnəf] سيرجي_رخمانينوف 谢尔盖·.apk',
+        ]
+        for f in good:
+            self.assertFalse(fdroidserver.update.has_known_vulnerability(f))
+        with self.assertRaises(fdroidserver.exception.FDroidException):
+            fdroidserver.update.has_known_vulnerability('janus.apk')
+
 
 if __name__ == "__main__":
     parser = optparse.OptionParser()

From 67b9514c5a830159e6cc39a6ba180cb2774635b9 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 13 Dec 2017 11:57:36 +0100
Subject: [PATCH 4/8] update: strip EXIF data from all JPEGs

EXIF data can be abused to exploit systems a lot easier than the JPEG image
data can.  The F-Droid ecosystem does not use the EXIF data, so keep things
safe and strip it all away.  There is a chance that some images might rely
on the rotation to be set by EXIF, but I think having a safe system is more
important.

If needed, only the rotation data could be saved.  But that then makes it
hard to tell which images have been stripped.  This way, if there is no
EXIF, it has been stripped.  And if there is EXIF data, then it is suspect.

https://securityaffairs.co/wordpress/51043/mobile-2/android-cve-2016-3862-flaw.html
https://threatpost.com/google-shuts-down-potentially-massive-android-bug/120393/
https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

The big downside of this is that it decompresses and recompresses the
image data.  That should be replaced by a technique from jhead,
exiftool, ObscuraCam, etc. that only strips the metadata.
---
 fdroidserver/update.py | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index f90e4993..b6a33f77 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -672,6 +672,27 @@ def _set_author_entry(app, key, f):
             app[key] = text
 
 
+def _strip_and_copy_image(inpath, outpath):
+    """Remove any metadata from image and copy it to new path
+
+    Sadly, image metadata like EXIF can be used to exploit devices.
+    It is not used at all in the F-Droid ecosystem, so its much safer
+    just to remove it entirely.  PNG does not have the same kind of
+    issues.
+
+    """
+
+    if common.has_extension(inpath, 'png'):
+        shutil.copy(inpath, outpath)
+    else:
+        with open(inpath) as fp:
+            in_image = Image.open(fp)
+            data = list(in_image.getdata())
+            out_image = Image.new(in_image.mode, in_image.size)
+        out_image.putdata(data)
+        out_image.save(outpath, "JPEG", optimize=True)
+
+
 def copy_triple_t_store_metadata(apps):
     """Include store metadata from the app's source repo
 
@@ -744,7 +765,7 @@ def copy_triple_t_store_metadata(apps):
                         sourcefile = os.path.join(root, f)
                         destfile = os.path.join(destdir, os.path.basename(f))
                         logging.debug('copying ' + sourcefile + ' ' + destfile)
-                        shutil.copy(sourcefile, destfile)
+                        _strip_and_copy_image(sourcefile, destfile)
 
 
 def insert_localized_app_metadata(apps):
@@ -842,7 +863,7 @@ def insert_localized_app_metadata(apps):
                 if base in GRAPHIC_NAMES and extension in ALLOWED_EXTENSIONS:
                     os.makedirs(destdir, mode=0o755, exist_ok=True)
                     logging.debug('copying ' + os.path.join(root, f) + ' ' + destdir)
-                    shutil.copy(os.path.join(root, f), destdir)
+                    _strip_and_copy_image(os.path.join(root, f), destdir)
             for d in dirs:
                 if d in SCREENSHOT_DIRS:
                     if locale == 'images':
@@ -854,7 +875,7 @@ def insert_localized_app_metadata(apps):
                             screenshotdestdir = os.path.join(destdir, d)
                             os.makedirs(screenshotdestdir, mode=0o755, exist_ok=True)
                             logging.debug('copying ' + f + ' ' + screenshotdestdir)
-                            shutil.copy(f, screenshotdestdir)
+                            _strip_and_copy_image(f, screenshotdestdir)
 
     repofiles = sorted(glob.glob(os.path.join('repo', '[A-Za-z]*', '[a-z][a-z][A-Z-.@]*')))
     for d in repofiles:

From 387eebc4d69e0c89fd27a0bbe20ab31a5ea4be20 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 13 Dec 2017 11:51:34 +0100
Subject: [PATCH 5/8] update: strip all metadata from PNGs

This strips metadata and optimizes the compression of all PNGs copied
from the app's source repo as well as all the icons extracted from the
APKs.  There have been exploits delivered via image metadata, and
F-Droid isn't using it all, so its best to just remove it.

This unfortunately uncompresses and recompresses the files.  Luckily,
that's a lossless procedure with PNGs, and we might end up with
smaller files.  The only tool I could find that strips without
changing the image data is exiftool, but that is written in Perl.
---
 fdroidserver/update.py | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index b6a33f77..4611b127 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -35,7 +35,7 @@ from argparse import ArgumentParser
 import collections
 from binascii import hexlify
 
-from PIL import Image
+from PIL import Image, PngImagePlugin
 import logging
 
 from . import _
@@ -84,6 +84,8 @@ GRAPHIC_NAMES = ('featureGraphic', 'icon', 'promoGraphic', 'tvBanner')
 SCREENSHOT_DIRS = ('phoneScreenshots', 'sevenInchScreenshots',
                    'tenInchScreenshots', 'tvScreenshots', 'wearScreenshots')
 
+BLANK_PNG_INFO = PngImagePlugin.PngInfo()
+
 
 def dpi_to_px(density):
     return (int(density) * 48) / 160
@@ -371,7 +373,8 @@ def resize_icon(iconpath, density):
             im.thumbnail((size, size), Image.ANTIALIAS)
             logging.debug("%s was too large at %s - new size is %s" % (
                 iconpath, oldsize, im.size))
-            im.save(iconpath, "PNG")
+            im.save(iconpath, "PNG", optimize=True,
+                    pnginfo=BLANK_PNG_INFO, icc_profile=None)
 
     except Exception as e:
         logging.error(_("Failed resizing {path}: {error}".format(path=iconpath, error=e)))
@@ -677,20 +680,28 @@ def _strip_and_copy_image(inpath, outpath):
 
     Sadly, image metadata like EXIF can be used to exploit devices.
     It is not used at all in the F-Droid ecosystem, so its much safer
-    just to remove it entirely.  PNG does not have the same kind of
-    issues.
+    just to remove it entirely.
 
     """
 
-    if common.has_extension(inpath, 'png'):
-        shutil.copy(inpath, outpath)
-    else:
-        with open(inpath) as fp:
+    extension = common.get_extension(inpath)[1]
+    if os.path.isdir(outpath):
+        outpath = os.path.join(outpath, os.path.basename(inpath))
+    if extension == 'png':
+        with open(inpath, 'rb') as fp:
+            in_image = Image.open(fp)
+            in_image.save(outpath, "PNG", optimize=True,
+                          pnginfo=BLANK_PNG_INFO, icc_profile=None)
+    elif extension == 'jpg' or extension == 'jpeg':
+        with open(inpath, 'rb') as fp:
             in_image = Image.open(fp)
             data = list(in_image.getdata())
             out_image = Image.new(in_image.mode, in_image.size)
         out_image.putdata(data)
         out_image.save(outpath, "JPEG", optimize=True)
+    else:
+        raise FDroidException(_('Unsupported file type "{extension}" for repo graphic')
+                              .format(extension=extension))
 
 
 def copy_triple_t_store_metadata(apps):
@@ -1512,7 +1523,8 @@ def fill_missing_icon_densities(empty_densities, icon_filename, apk, repo_dir):
             size = dpi_to_px(density)
 
             im.thumbnail((size, size), Image.ANTIALIAS)
-            im.save(icon_path, "PNG")
+            im.save(icon_path, "PNG", optimize=True,
+                    pnginfo=BLANK_PNG_INFO, icc_profile=None)
             empty_densities.remove(density)
         except Exception as e:
             logging.warning("Invalid image file at %s: %s", last_icon_path, e)

From 8f45796ecbb51303d32b5ae0136715400b4ce4ea Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 13 Dec 2017 12:28:11 +0100
Subject: [PATCH 6/8] update: close unclosed Image instance

---
 fdroidserver/update.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 4611b127..15013347 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -1487,6 +1487,8 @@ def extract_apk_icons(icon_filename, apk, apkzip, repo_dir):
         except Exception as e:
             logging.warning(_("Failed reading {path}: {error}")
                             .format(path=icon_path, error=e))
+        finally:
+            im.close()
 
     if apk['icons']:
         apk['icon'] = icon_filename

From 42522c23c9dc16319eb66811467dca85bef227a4 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 14 Dec 2017 10:58:02 +0100
Subject: [PATCH 7/8] update: do not crash if AndroidManifest.xml in APK has
 invalid date

This crash actually blocked a Janus exploit APK from being added to the
repo, but crashing isn't really the appropriate way to do that.
---
 fdroidserver/update.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 15013347..782d18fc 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -1355,10 +1355,13 @@ def process_apk(apkcache, apkfilename, repodir, knownapks, use_date_from_apk=Fal
         apkzip = zipfile.ZipFile(apkfile, 'r')
 
         manifest = apkzip.getinfo('AndroidManifest.xml')
-        if manifest.date_time[1] == 0:  # month can't be zero
-            logging.debug(_('AndroidManifest.xml has no date'))
-        else:
-            common.check_system_clock(datetime(*manifest.date_time), apkfilename)
+        # 1980-0-0 means zeroed out, any other invalid date should trigger a warning
+        if (1980, 0, 0) != manifest.date_time[0:3]:
+            try:
+                common.check_system_clock(datetime(*manifest.date_time), apkfilename)
+            except ValueError as e:
+                logging.warning(_("{apkfilename}'s AndroidManifest.xml has a bad date: ")
+                                .format(apkfilename=apkfile) + str(e))
 
         # extract icons from APK zip file
         iconfilename = "%s.%s.png" % (apk['packageName'], apk['versionCode'])

From 2e531af58f8fd329c610bb84e16e6ff1bb13d0c4 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 14 Dec 2017 14:42:09 +0100
Subject: [PATCH 8/8] build: force purging of sudo, ignore error message

Fixes bb758d3f, spotted by @bubu:
DEBUG: buildserver > DEBUG: > sudo apt-get -y purge sudo
DEBUG: buildserver > Reading package lists...
DEBUG: buildserver > Building dependency tree...
DEBUG: buildserver > Reading state information...
DEBUG: buildserver > The following packages will be REMOVED:
DEBUG: buildserver >   sudo*
DEBUG: buildserver > 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
DEBUG: buildserver > After this operation, 2,391 kB disk space will be freed.
(Reading database ... 68491 files and directories currently installed.)
DEBUG: buildserver > Removing sudo (1.8.10p3-1+deb8u4) ...
DEBUG: buildserver > You have asked that the sudo package be removed,
DEBUG: buildserver > but no root password has been set.
DEBUG: buildserver > Without sudo, you may not be able to gain administrative privileges.
DEBUG: buildserver >
DEBUG: buildserver > If you would prefer to access the root account with su(1)
DEBUG: buildserver > or by logging in directly,
DEBUG: buildserver > you must set a root password with "sudo passwd".
DEBUG: buildserver >
DEBUG: buildserver > If you have arranged other means to access the root account,
DEBUG: buildserver > and you are sure this is what you want,
DEBUG: buildserver > you may bypass this check by setting an environment variable
DEBUG: buildserver > (export SUDO_FORCE_REMOVE=yes).
DEBUG: buildserver >
DEBUG: buildserver > Refusing to remove sudo.
DEBUG: buildserver > dpkg: error processing package sudo (--purge):
DEBUG: buildserver >  subprocess installed pre-removal script returned error exit status 1
DEBUG: buildserver > Errors were encountered while processing:
DEBUG: buildserver >  sudo
DEBUG: buildserver > E: Sub-process /usr/bin/dpkg returned an error code (1)
---
 fdroidserver/build.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index e2866fbd..d4f50005 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -414,7 +414,12 @@ def build_local(app, build, vcs, build_dir, output_dir, log_dir, srclib_dir, ext
                 raise BuildException("Error running sudo command for %s:%s" %
                                      (app.id, build.versionName), p.output)
 
-        p = FDroidPopen(['sudo', 'apt-get', '-y', 'purge', 'sudo'])
+        p = FDroidPopen(['sudo', 'passwd', '--lock', 'root'])
+        if p.returncode != 0:
+            raise BuildException("Error locking root account for %s:%s" %
+                                 (app.id, build.versionName), p.output)
+
+        p = FDroidPopen(['sudo', 'SUDO_FORCE_REMOVE=yes', 'apt-get', '-y', 'purge', 'sudo'])
         if p.returncode != 0:
             raise BuildException("Error removing sudo for %s:%s" %
                                  (app.id, build.versionName), p.output)