From d1df6be2e2babdc0e4fd01689ab630a747ebebc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20P=C3=B6hn?= <michael@poehn.at>
Date: Thu, 9 Apr 2026 15:45:19 +0200
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=90=9B=20publish:=20fix=20exit=20stat?=
 =?UTF-8?q?us=20integer=20overflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

publish.py currently uses the number of failed verifications as exit
status. `sys.exit(failed)` Whenever the number of failed verification
attempts is divisible by 256 the return status is 0. exit status 0
however conveys that there were no errors, so as long as an attacker can
controll the number of verification failures they can use this to turn
off verification alltogether.
---
 fdroidserver/publish.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fdroidserver/publish.py b/fdroidserver/publish.py
index 42945166..b6c0009a 100644
--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@@ -471,7 +471,7 @@ def main():
     if failed:
         logging.error(_('%d APKs failed to be signed or verified!') % failed)
         if options.error_on_failed:
-            sys.exit(failed)
+            sys.exit(1)
 
 
 if __name__ == "__main__":

From bbc5182b0675df0065892e5bafba608852fdb994 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 13 Apr 2026 16:52:08 +0200
Subject: [PATCH 2/2] fix all other cases of sys.exit() overflow

---
 fdroidserver/lint.py   | 4 ++--
 fdroidserver/update.py | 2 +-
 fdroidserver/verify.py | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py
index 84a7e88d..1f89e8a5 100644
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@@ -2454,13 +2454,13 @@ def main():
                 failed += 1
         # an empty list of appids means check all apps, avoid that if files were given
         if not options.appid:
-            sys.exit(failed)
+            sys.exit(failed != 0)
 
     if not lint_metadata(options):
         failed += 1
 
     if failed:
-        sys.exit(failed)
+        sys.exit(1)
 
 
 def lint_metadata(options):
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index f1503876..e64ab2e7 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -3021,7 +3021,7 @@ def main():
                 )
             )
     if errors:
-        sys.exit(errors)
+        sys.exit(1)
 
     # Scan the archive repo for apks as well
     if len(repodirs) > 1:
diff --git a/fdroidserver/verify.py b/fdroidserver/verify.py
index 897463ae..817a32d8 100644
--- a/fdroidserver/verify.py
+++ b/fdroidserver/verify.py
@@ -306,7 +306,7 @@ def main():
         logging.info("{0} successfully verified".format(verified))
     if notverified > 0:
         logging.info("{0} NOT verified".format(notverified))
-    sys.exit(notverified)
+    sys.exit(notverified != 0)
 
 
 if __name__ == "__main__":