Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

gradle_6: mark very insecure #352236

Merged
merged 1 commit into from
Oct 30, 2024
Merged

gradle_6: mark very insecure #352236

merged 1 commit into from
Oct 30, 2024

Conversation

tomodachi94
Copy link
Member

@tomodachi94 tomodachi94 commented Oct 30, 2024
edited
Loading

Every Gradle before v7 (including our beloved gradle_6) is vulnerable to a number of vulnerabiliites:

  • CVE-2021-29429, affecting confidentiality
  • CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
  • CVE-2021-29428, a privilege escalation involving the temp dir
  • CVE-2021-32751, arbitrary code execution

To mark the package insecure, I had to add a meta attribute that is merged into the existing meta produced by the package. Eval succeeds (fails with insecure warning) when I tested this.

Let me know if the messages in knownVulnerabilities are too verbose.

cc the following maintainers, whose packages won't build after this package is marked insecure:

Closes #132127
Closes #147881
Closes #124636
Closes #124635

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@tomodachi94
gradle_6: mark very insecure
161e9a3 
v6 is vulnerable to a number of vulnerabiliites:
* CVE-2021-29429, affecting confidentiality
* CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
* CVE-2021-29428, a privilege escalation involving the temp dir
* CVE-2021-32751, arbitrary code execution
@tomodachi94 tomodachi94 added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 labels Oct 30, 2024
@tomodachi94
Copy link
Member Author

tomodachi94 commented Oct 30, 2024
edited
Loading

Off-topic: I'm wondering if we should remove this package after the feature freeze.

tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
summoning-pixel-dungeon: use default gradle
6854e01 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
@tomodachi94 tomodachi94 mentioned this pull request Oct 30, 2024
Merged
13 tasks
@emilazy emilazy merged commit 220bfa9 into NixOS:master Oct 30, 2024
37 of 38 checks passed
@tomodachi94 tomodachi94 deleted the fix/gradle_6/very-insecure branch October 30, 2024 04:47
@github-actions github-actions bot mentioned this pull request Oct 30, 2024
Merged
1 task
@github-actions GitHub Actions
Copy link
Contributor

Successfully created backport PR for release-24.05:

github-actions bot pushed a commit that referenced this pull request Oct 30, 2024
@tomodachi94 @github-actions
summoning-pixel-dungeon: use default gradle
e4472d9 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after #352236

(cherry picked from commit 6854e01)
keatonhasse pushed a commit to keatonhasse/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94 @keatonhasse
summoning-pixel-dungeon: use default gradle
e0497b5 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
ad43134 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236

Last remaining usages removed in:
@tomodachi94 tomodachi94 mentioned this pull request Oct 30, 2024
Merged
13 tasks
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
5e71dce 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236

Last remaining usages removed in:
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
e45e0e2 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236
jmartindf pushed a commit to jmartindf/nixpkgs that referenced this pull request Nov 1, 2024
@tomodachi94 @jmartindf
summoning-pixel-dungeon: use default gradle
11dcf76 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
github-actions bot pushed a commit to Mic92/nixpkgs that referenced this pull request Nov 3, 2024
@tomodachi94 @Mic92
summoning-pixel-dungeon: use default gradle
4ef9d76 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
frederictobiasc pushed a commit to frederictobiasc/nixpkgs that referenced this pull request Nov 9, 2024
@tomodachi94 @frederictobiasc
summoning-pixel-dungeon: use default gradle
b942348 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@lorenzleutgeb lorenzleutgeb Awaiting requested review from lorenzleutgeb

@liff liff Awaiting requested review from liff

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
2 participants
@tomodachi94 @emilazy