CVE-2013-7459

Advisory

Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Removed `pycrypto` due to security issue
This is due to:
* [CVE-2018-6594](https://nvd.nist.gov/vuln/detail/CVE-2018-6594) Moderate severity
* [CVE-2013-7459](https://nvd.nist.gov/vuln/detail/CVE-2013-7459) Moderate severity

More information: https://github.com/dlitz/pycrypto/issues/253

Replacing StringCare secrets
Added `replaced` argument for replacing Stringcare secrets.

bash
destringcare --resign Appname_v1.0.2494.apk mapped.json


where `mapped.json` is a key-value dictionary in JSON:
json
{
"firebase_database_url": "https://some-path.somewhere.io",
"google_storage_bucket": "another-path.appspot.com"
}


Printing out common plaintext properties
This is done by using `--other` argument.

bash
destringcare --other Appname_v1.0.2494.apk

Resources

• https://pypi.org/project/destringcare
• https://pyup.io/changelogs/destringcare/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7459
• https://pony7.fr/ctf:public:32c3:cryptmsg
• https://lists.fedoraproject.org/archives/list/[email protected]/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B/
• https://github.com/dlitz/pycrypto/issues/176
• https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
• https://bugzilla.redhat.com/show_bug.cgi?id=1409754
• http://www.securityfocus.com/bid/95122
• http://www.openwall.com/lists/oss-security/2016/12/27/8
• https://security.gentoo.org/glsa/201702-14