This release addresses two security vulnerabilities: * [Dependency cache path traversal](https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v) * [Path traversal vulnerabilities in handling of Tar archives](https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842) Fixes seem in 7.6.2 and 8.2: https://github.com/gradle/gradle/releases/tag/v7.6.2 https://github.com/gradle/gradle/releases/tag/v8.2.0 Please bump.
CVE-2023-42445 (https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8): Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities. CVE-2023-44387 (https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9): Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file. CVE-2023-35946 (https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v): Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit. CVE-2023-35947 (https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842): Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability. Fixes in 7.6.3 and 8.4. Please bump to 7.6.3 and stabilize 8.4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00abccd0eccaceee738ae9746e0bf5cf1677d96d commit 00abccd0eccaceee738ae9746e0bf5cf1677d96d Author: Florian Schmaus <flow@gentoo.org> AuthorDate: 2024-01-07 09:04:35 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2024-01-07 09:16:25 +0000 dev-java/gradle-bin: drop versions Bug: https://bugs.gentoo.org/782694 Bug: https://bugs.gentoo.org/917402 Bug: https://bugs.gentoo.org/905329 Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-java/gradle-bin/Manifest | 9 ----- dev-java/gradle-bin/gradle-bin-6.8.3.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.1.1.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.2.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.3.3.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.4.2.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.5.1.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-7.6.1.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-8.0.2.ebuild | 61 ----------------------------- dev-java/gradle-bin/gradle-bin-8.1.1.ebuild | 61 ----------------------------- 10 files changed, 558 deletions(-)
