nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 23:13:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

gradle_6: mark very insecure

Browse Source 
v6 is vulnerable to a number of vulnerabiliites:
* CVE-2021-29429, affecting confidentiality
* CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
* CVE-2021-29428, a privilege escalation involving the temp dir
* CVE-2021-32751, arbitrary code execution
This commit is contained in:
Tomo 2024-10-30 00:20:19 +00:00
parent 4e9ddbc8d6
commit 161e9a32c9
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkgs/development/tools/build-managers/gradle/default.nix
View File

@ -23,7 +23,11 @@ rec {
"x86_64-darwin"
"x86_64-linux"
"x86_64-windows"
]
],
# Extra attributes to be merged into the resulting derivation's
# meta attribute.
meta ? {}
}:
{ lib
@ -172,7 +176,7 @@ rec {
license = licenses.asl20;
maintainers = with maintainers; [ lorenzleutgeb liff ];
mainProgram = "gradle";
};
} // meta;
});
# NOTE: Default JDKs that are hardcoded below must be LTS versions
@ -195,6 +199,12 @@ rec {
version = "6.9.4";
hash = "sha256-PiQCKFON6fGHcqV06ZoLqVnoPW7zUQFDgazZYxeBOJo=";
defaultJava = jdk11;
meta.knownVulnerabilities = [
"CVE-2021-29429: '[...]files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle[...]'"
"CVE-2021-29427: '[...]there is a vulnerability which can lead to information disclosure and/or dependency poisoning[...] In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file.'"
"CVE-2021-29428: '[...]the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.'"
"CVE-2021-32751: '[...]start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script[...]'"
];
};
wrapGradle = {