scripts/linux/apktool | 26 12 + 14 - 0 !
1 file changed, 12 insertions(+), 14 deletions(-)

 debian wrapper

brut.apktool/apktool-lib/src/main/java/brut/androlib/res/AndrolibResources.java | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 use_system_framework

Rather than including a package provided apk in the jar,
just read it directly from where it gets installed.

brut.apktool/apktool-lib/src/main/java/brut/androlib/options/BuildOptions.java | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use_system_aapt

brut.apktool/apktool-cli/build.gradle | 10 3 + 7 - 0 !
build.gradle | 107 5 + 102 - 0 !
2 files changed, 8 insertions(+), 109 deletions(-)

 build

brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java | 8 8 + 0 - 0 !
brut.j.util/src/main/java/brut/util/BrutIO.java | 7 7 + 0 - 0 !
2 files changed, 15 insertions(+)

 [patch 1/1] prevent arbitrary file writes with malicious resource
 names. (#3484)

CVE-2024-21633

* refactor: rename sanitize function

* fix: expose getDir

* fix: safe handling of untrusted resource names

 - fixes: GHSA-2hqv-2xv4-5h5w

* test: sample file for GHSA-2hqv-2xv4-5h5w

* refactor: avoid detection of absolute files for resource check

* chore: enable info mode on gradle

* test: skip test on windows

* chore: debug windows handling

* fix: normalize entry with file separators

* fix: normalize filepath after cleansing

* chore: Android paths are not OS specific

* refactor: use java.nio for path traversal checking

* chore: align path separator on Windows for Zip files

* chore: rework towards basic directory traversal

* chore: remove '--info' on build.yml