[Git][java-team/gradle][master] Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)

Emmanuel Bourg (@ebourg) gitlab at salsa.debian.org
Sun Jan 22 00:43:30 GMT 2023



Emmanuel Bourg pushed to branch master at Debian Java Maintainers / gradle


Commits:
dd78c4c4 by Emmanuel Bourg at 2023-01-22T01:31:20+01:00
Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2019-16370.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+gradle (4.4.1-18) unstable; urgency=medium
+
+  * Team upload.
+  * Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Sun, 22 Jan 2023 01:05:45 +0100
+
 gradle (4.4.1-17) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2019-16370.patch
=====================================
@@ -0,0 +1,27 @@
+From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sitnikov <sitnikov.vladimir at gmail.com>
+Date: Tue, 10 Sep 2019 14:37:35 +0300
+Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
+ artifacts
+
+PGP signs a digest, so MITM is still possible provided an attacker can update
+the artifact in such a way that its SHA1 is intact.
+
+Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
+
+Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir at gmail.com>
+---
+ .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
++++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+@@ -102,7 +102,7 @@
+ 
+     public PGPSignatureGenerator createSignatureGenerator() {
+         try {
+-            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
++            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
+             generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+             return generator;
+         } catch (PGPException e) {


=====================================
debian/patches/series
=====================================
@@ -39,3 +39,4 @@ source-level.patch
 permit-illegal-access.patch
 java17-compatibility.patch
 auto-adjust-language-level.patch
+CVE-2019-16370.patch



View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff

-- 
View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230122/d71e21b8/attachment.htm>


More information about the pkg-java-commits mailing list