Apktool v2.9.2 has been released! This release is a hot-fix on top of the previous v2.9.1 release for 1 security fix.

Discovered by Yusuf at Denuvo Apktool would infer file names from the respective resource names, which if made malicious would result in a file being written outside of the directory in which Apktool was operating (ie path traversal). This can be read in more detail at the issue report: CVE-2024-21633 (GHSA-2hqv-2xv4-5h5w)

Sponsors

I launched GitHub Sponsors to help provide another alternative for folks showing appreciation. I want to remind folks of two companies that continue to hold a monthly donation for the project.

• Emerge Tools came online to sponsor the tool.
• Sourcetoad (self employer) additionally joined to sponsor (as well as a few other projects).

This release had 3 commits by 1 person

• Connor Tumbleson (iBotPeaches) - 3 commits

Changes since 2.9.1

• [#3484] Fix #GHSA-2hqv-2xv4-5h5w (Arbitrary file writes). (Thanks 0x33c0unt)

Notes

• The v2.9.x releases have moved to aapt2 being the default. If you'd like to return to the previous behavior, please use --use-aapt1 during build stage.

Download

• Apktool 2.9.2
  • 352f85721fa95847f03a10fa7ea78322 (md5)
  • 831f0ffc97b6f20f511d6183cbf6785464d341aacb0fb7e6f22ef0c7b228911a (sha256)
  • Rename to apktool.jar and follow the Instruction Guide if you need help.
• 2.9.2 Doc Site Post

Links

• Project Site
• GitHub
• Bug Tracker
• XDA Thread
• GitHub Sponsors
• Buy me a Coffee Beer