Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905329 (CVE-2023-26053) - <dev-java/gradle-bin-{7.6.1,8.0}: long PGP key ID collision vulnerability
Summary: <dev-java/gradle-bin-{7.6.1,8.0}: long PGP key ID collision vulnerability
Status: CONFIRMED
Alias: CVE-2023-26053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/gradle/gradle/secu...
Whiteboard: B4 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-29 20:56 UTC by John Helmert III
Modified: 2024-01-07 09:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 20:56:26 UTC 
CVE-2023-26053:

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.

Fix in 6.9.4, 7.6.1, 8.0. Please cleanup.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-03 08:21:32 UTC 
Ping. Please clean up vulnerable versions.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-07 09:16:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00abccd0eccaceee738ae9746e0bf5cf1677d96d

commit 00abccd0eccaceee738ae9746e0bf5cf1677d96d
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2024-01-07 09:04:35 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-01-07 09:16:25 +0000

    dev-java/gradle-bin: drop versions
    
    Bug: https://bugs.gentoo.org/782694
    Bug: https://bugs.gentoo.org/917402
    Bug: https://bugs.gentoo.org/905329
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/gradle-bin/Manifest                |  9 -----
 dev-java/gradle-bin/gradle-bin-6.8.3.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.1.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.2.ebuild   | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.3.3.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.4.2.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.5.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-7.6.1.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-8.0.2.ebuild | 61 -----------------------------
 dev-java/gradle-bin/gradle-bin-8.1.1.ebuild | 61 -----------------------------
 10 files changed, 558 deletions(-)