[frameworks-karchive] [Bug 415221] New: KZip fails to process files with extra data before the Central Directory block

Sun, 15 Dec 2019 12:38:52 -0800 

https://bugs.kde.org/show_bug.cgi?id=415221

            Bug ID: 415221
           Summary: KZip fails to process files with extra data before the
                    Central Directory block
           Product: frameworks-karchive
           Version: 5.65.0
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: fa...@kde.org
          Reporter: l...@z3ntu.xyz
                CC: kdelibs-b...@kde.org
  Target Milestone: ---

Created attachment 124515
  --> https://bugs.kde.org/attachment.cgi?id=124515&action=edit
Example apk signed with the v2 schema

SUMMARY

Android .apk files are generally normal .zip files. Older apps signed with
"JAR-signed APK verification (v1 scheme)" are processed fine by KZip.
Newer files signed with "APK Signature Scheme v2" fail have an "APK Signing
Block" inserted right before the Central Directory block but after the last
Local file block.
KZip goes through the file sequentially and encounters "random data" and errors
out with "Invalid ZIP file. Unrecognized header at offset ${offset}"

The following links explain the structure of this quite well:
https://source.android.com/security/apksigning/v2
https://www.fortinet.com/blog/threat-research/an-android-package-is-no-longer-a-zip.html

The reason I'm filing this bug is, that all other zip programs I tested
(libarchive, unzip) handle those files without any problem, but KZip doesn't.

STEPS TO REPRODUCE
Try to process an Android apk signed with the APK Signature Scheme v2 with KZip
(e.g. with the kziptest util - "kziptest list ~/myapp.apk")

OBSERVED RESULT
The file can't be opened

EXPECTED RESULT
The file should be opened

SOFTWARE/OS VERSIONS
KDE Frameworks Version: 5.64.0

ADDITIONAL INFORMATION
I'm using KZip in https://github.com/z3ntu/kde-thumbnailer-apk which only
processes APK files so if this bug can't/won't be fixed, I will have to switch
to using another library for that.

Also if you have an apk , you can find out if it's signed with the v2 scheme by
grepping the file for "APK Sig Block 42" or using "apksigner verify -v
myapp.apk", provided by the Android build tools.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to