Bug#1041424: gradle: CVE-2023-35946 CVE-2023-35947
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 18 19:42:40 BST 2023
Source: gradle
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for gradle. Not sure if
the rather old version of Gradle in Debian is affected, please have
a look:
CVE-2023-35946[0]:
| Gradle is a build tool with a focus on build automation and support
| for multi-language development. When Gradle writes a dependency into
| its dependency cache, it uses the dependency's coordinates to
| compute a file location. With specially crafted dependency
| coordinates, Gradle can be made to write files into an unintended
| location. The file may be written outside the dependency cache or
| over another file in the dependency cache. This vulnerability could
| be used to poison the dependency cache or overwrite important files
| elsewhere on the filesystem where the Gradle process has write
| permissions. Exploiting this vulnerability requires an attacker to
| have control over a dependency repository used by the Gradle build
| or have the ability to modify the build's configuration. It is
| unlikely that this would go unnoticed. A fix has been released in
| Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle
| will refuse to cache dependencies that have path traversal elements
| in their dependency coordinates. It is recommended that users
| upgrade to a patched version. If you are unable to upgrade to Gradle
| 7.6.2 or 8.2, `dependency verification` will make this vulnerability
| more difficult to exploit.
https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v
https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3)
https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3)
CVE-2023-35947[1]:
| Gradle is a build tool with a focus on build automation and support
| for multi-language development. In affected versions when unpacking
| Tar archives, Gradle did not check that files could be written
| outside of the unpack location. This could lead to important files
| being overwritten anywhere the Gradle process has write permissions.
| For a build reading Tar entries from a Tar archive, this issue could
| allow Gradle to disclose information from sensitive files through an
| arbitrary file read. To exploit this behavior, an attacker needs to
| either control the source of an archive already used by the build or
| modify the build to interact with a malicious archive. It is
| unlikely that this would go unnoticed. A fix has been released in
| Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting
| from these versions, Gradle will refuse to handle Tar archives which
| contain path traversal elements in a Tar entry name. Users are
| advised to upgrade. There are no known workarounds for this
| vulnerability. ### Impact This is a path traversal vulnerability
| when Gradle deals with Tar archives, often referenced as TarSlip, a
| variant of ZipSlip. * When unpacking Tar archives, Gradle did not
| check that files could be written outside of the unpack location.
| This could lead to important files being overwritten anywhere the
| Gradle process has write permissions. * For a build reading Tar
| entries from a Tar archive, this issue could allow Gradle to
| disclose information from sensitive files through an arbitrary file
| read. To exploit this behavior, an attacker needs to either control
| the source of an archive already used by the build or modify the
| build to interact with a malicious archive. It is unlikely that this
| would go unnoticed. Gradle uses Tar archives for its [Build
| Cache](https://docs.gradle.org/current/userguide/build_cache.html).
| These archives are safe when created by Gradle. But if an attacker
| had control of a remote build cache server, they could inject
| malicious build cache entries that leverage this vulnerability. This
| attack vector could also be exploited if a man-in-the-middle can be
| performed between the remote cache and the build. ### Patches A
| fix has been released in Gradle 7.6.2 and 8.2 to protect against
| this vulnerability. Starting from these versions, Gradle will refuse
| to handle Tar archives which contain path traversal elements in a
| Tar entry name. It is recommended that users upgrade to a patched
| version. ### Workarounds There is no workaround. * If your build
| deals with Tar archives that you do not fully trust, you need to
| inspect them to confirm they do not attempt to leverage this
| vulnerability. * If you use the Gradle remote build cache, make sure
| only trusted parties have write access to it and that connections to
| the remote cache are properly secured. ### References * [CWE-22:
| Improper Limitation of a Pathname to a Restricted Directory ('Path
| Traversal')](https://cwe.mitre.org/data/definitions/22.html) *
| [Gradle Build
| Cache](https://docs.gradle.org/current/userguide/build_cache.html) *
| [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)
https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842
https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3)
https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-35946
https://www.cve.org/CVERecord?id=CVE-2023-35946
[1] https://security-tracker.debian.org/tracker/CVE-2023-35947
https://www.cve.org/CVERecord?id=CVE-2023-35947
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list