Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905329 (CVE-2023-26053)

Summary: <dev-java/gradle-bin-{7.6.1,8.0}: long PGP key ID collision vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: flow, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf
Whiteboard: B4 [glsa? cleanup]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 20:56:26 UTC 
CVE-2023-26053:

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.

Fix in 6.9.4, 7.6.1, 8.0. Please cleanup.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-03 08:21:32 UTC 
Ping. Please clean up vulnerable versions.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-07 09:16:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00abccd0eccaceee738ae9746e0bf5cf1677d96d

commit 00abccd0eccaceee738ae9746e0bf5cf1677d96d
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2024-01-07 09:04:35 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-01-07 09:16:25 +0000

    dev-java/gradle-bin: drop versions
    
    Bug: https://bugs.gentoo.org/782694
    Bug: https://bugs.gentoo.org/917402
    Bug: https://bugs.gentoo.org/905329
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/gradle-bin/Manifest                |  9 -----
 dev-java/gradle-bin/gradle-bin-6.8.3.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.1.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.2.ebuild   | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.3.3.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.4.2.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.5.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.6.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-8.0.2.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-8.1.1.ebuild | 61 -----------------------------
 10 files changed, 558 deletions(-)