Source: gradle X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for gradle. Not sure if the rather old version of Gradle in Debian is affected, please have a look: CVE-2023-35946[0]: | Gradle is a build tool with a focus on build automation and support | for multi-language development. When Gradle writes a dependency into | its dependency cache, it uses the dependency's coordinates to | compute a file location. With specially crafted dependency | coordinates, Gradle can be made to write files into an unintended | location. The file may be written outside the dependency cache or | over another file in the dependency cache. This vulnerability could | be used to poison the dependency cache or overwrite important files | elsewhere on the filesystem where the Gradle process has write | permissions. Exploiting this vulnerability requires an attacker to | have control over a dependency repository used by the Gradle build | or have the ability to modify the build's configuration. It is | unlikely that this would go unnoticed. A fix has been released in | Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle | will refuse to cache dependencies that have path traversal elements | in their dependency coordinates. It is recommended that users | upgrade to a patched version. If you are unable to upgrade to Gradle | 7.6.2 or 8.2, `dependency verification` will make this vulnerability | more difficult to exploit. https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3) https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3) CVE-2023-35947[1]: | Gradle is a build tool with a focus on build automation and support | for multi-language development. In affected versions when unpacking | Tar archives, Gradle did not check that files could be written | outside of the unpack location. This could lead to important files | being overwritten anywhere the Gradle process has write permissions. | For a build reading Tar entries from a Tar archive, this issue could | allow Gradle to disclose information from sensitive files through an | arbitrary file read. To exploit this behavior, an attacker needs to | either control the source of an archive already used by the build or | modify the build to interact with a malicious archive. It is | unlikely that this would go unnoticed. A fix has been released in | Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting | from these versions, Gradle will refuse to handle Tar archives which | contain path traversal elements in a Tar entry name. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. ### Impact This is a path traversal vulnerability | when Gradle deals with Tar archives, often referenced as TarSlip, a | variant of ZipSlip. * When unpacking Tar archives, Gradle did not | check that files could be written outside of the unpack location. | This could lead to important files being overwritten anywhere the | Gradle process has write permissions. * For a build reading Tar | entries from a Tar archive, this issue could allow Gradle to | disclose information from sensitive files through an arbitrary file | read. To exploit this behavior, an attacker needs to either control | the source of an archive already used by the build or modify the | build to interact with a malicious archive. It is unlikely that this | would go unnoticed. Gradle uses Tar archives for its [Build | Cache](https://docs.gradle.org/current/userguide/build_cache.html). | These archives are safe when created by Gradle. But if an attacker | had control of a remote build cache server, they could inject | malicious build cache entries that leverage this vulnerability. This | attack vector could also be exploited if a man-in-the-middle can be | performed between the remote cache and the build. ### Patches A | fix has been released in Gradle 7.6.2 and 8.2 to protect against | this vulnerability. Starting from these versions, Gradle will refuse | to handle Tar archives which contain path traversal elements in a | Tar entry name. It is recommended that users upgrade to a patched | version. ### Workarounds There is no workaround. * If your build | deals with Tar archives that you do not fully trust, you need to | inspect them to confirm they do not attempt to leverage this | vulnerability. * If you use the Gradle remote build cache, make sure | only trusted parties have write access to it and that connections to | the remote cache are properly secured. ### References * [CWE-22: | Improper Limitation of a Pathname to a Restricted Directory ('Path | Traversal')](https://cwe.mitre.org/data/definitions/22.html) * | [Gradle Build | Cache](https://docs.gradle.org/current/userguide/build_cache.html) * | [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability) https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-35946 https://www.cve.org/CVERecord?id=CVE-2023-35946 [1] https://security-tracker.debian.org/tracker/CVE-2023-35947 https://www.cve.org/CVERecord?id=CVE-2023-35947 Please adjust the affected versions in the BTS as needed.
