From e05d909df60c6fe7da31b6ae65f136b92e41937d Mon Sep 17 00:00:00 2001
From: Julian Raufelder <Julian@Raufelder.com>
Date: Wed, 8 Mar 2023 11:37:39 +0100
Subject: [PATCH 1/2] Fix decrypting the file content on Android API level pre
 29 using GCM

Fixes #35 and see https://issuetracker.google.com/issues/197534888 for more details
---
 .../org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java   | 3 ++-
 .../org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java    | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java b/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java
index affb486..45e6f79 100644
--- a/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java
+++ b/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java
@@ -75,7 +75,8 @@ public void encryptChunk(ByteBuffer cleartextChunk, ByteBuffer ciphertextChunk,
 
 	@Override
 	public ByteBuffer decryptChunk(ByteBuffer ciphertextChunk, long chunkNumber, FileHeader header, boolean authenticate) throws AuthenticationFailedException {
-		ByteBuffer cleartextChunk = ByteBuffer.allocate(PAYLOAD_SIZE);
+		// FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888 and #35
+		ByteBuffer cleartextChunk = ByteBuffer.allocate(PAYLOAD_SIZE + GCM_TAG_SIZE);
 		decryptChunk(ciphertextChunk, cleartextChunk, chunkNumber, header, authenticate);
 		cleartextChunk.flip();
 		return cleartextChunk;
diff --git a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java
index e17d85b..35bebc1 100644
--- a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java
+++ b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java
@@ -90,7 +90,7 @@ public FileHeader decryptHeader(ByteBuffer ciphertextHeaderBuf) throws Authentic
 		buf.position(FileHeaderImpl.PAYLOAD_POS);
 		buf.get(ciphertextAndTag);
 
-		// FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888
+		// FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888 and #24
 		ByteBuffer payloadCleartextBuf = ByteBuffer.allocate(FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE);
 		try (DestroyableSecretKey ek = masterkey.getEncKey()) {
 			// decrypt payload:

From 4e31711c71c047b666aacf0da5236c25bc00f1a3 Mon Sep 17 00:00:00 2001
From: Julian Raufelder <Julian@Raufelder.com>
Date: Wed, 8 Mar 2023 12:23:37 +0100
Subject: [PATCH 2/2] Suppress false positive

---
 suppression.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/suppression.xml b/suppression.xml
index ebb877b..b4e9da1 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -9,4 +9,13 @@
 		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
 		<cve>CVE-2022-25366</cve>
 	</suppress>
+
+	<suppress>
+		<notes><![CDATA[
+  		Suppress false positive, because com.google.common.io.Files.getTempDir() is not used
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+		<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+		<cve>CVE-2020-8908</cve>
+	</suppress>
 </suppressions>
\ No newline at end of file