Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gradle_6: mark very insecure #352236

Merged
merged 1 commit into from
Oct 30, 2024
Merged

gradle_6: mark very insecure #352236

merged 1 commit into from
Oct 30, 2024

Conversation

tomodachi94
Copy link
Member

@tomodachi94 tomodachi94 commented Oct 30, 2024
edited
Loading

Every Gradle before v7 (including our beloved gradle_6) is vulnerable to a number of vulnerabiliites:

  • CVE-2021-29429, affecting confidentiality
  • CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
  • CVE-2021-29428, a privilege escalation involving the temp dir
  • CVE-2021-32751, arbitrary code execution

To mark the package insecure, I had to add a meta attribute that is merged into the existing meta produced by the package. Eval succeeds (fails with insecure warning) when I tested this.

Let me know if the messages in knownVulnerabilities are too verbose.

cc the following maintainers, whose packages won't build after this package is marked insecure:

Closes #132127
Closes #147881
Closes #124636
Closes #124635

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@tomodachi94
gradle_6: mark very insecure
161e9a3 
v6 is vulnerable to a number of vulnerabiliites:
* CVE-2021-29429, affecting confidentiality
* CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
* CVE-2021-29428, a privilege escalation involving the temp dir
* CVE-2021-32751, arbitrary code execution
@tomodachi94 tomodachi94 added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 Backport PR automatically labels Oct 30, 2024
@tomodachi94
Copy link
Member Author

tomodachi94 commented Oct 30, 2024
edited
Loading

Off-topic: I'm wondering if we should remove this package after the feature freeze.

tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
summoning-pixel-dungeon: use default gradle
6854e01 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
@tomodachi94 tomodachi94 mentioned this pull request Oct 30, 2024
Merged
13 tasks
@emilazy emilazy merged commit 220bfa9 into NixOS:master Oct 30, 2024
37 of 38 checks passed
@tomodachi94 tomodachi94 deleted the fix/gradle_6/very-insecure branch October 30, 2024 04:47
@github-actions github-actions bot mentioned this pull request Oct 30, 2024
Merged
1 task
@github-actions GitHub Actions
Copy link
Contributor

Successfully created backport PR for release-24.05:

github-actions bot pushed a commit that referenced this pull request Oct 30, 2024
@tomodachi94 @github-actions
summoning-pixel-dungeon: use default gradle
e4472d9 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after #352236

(cherry picked from commit 6854e01)
keatonhasse pushed a commit to keatonhasse/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94 @keatonhasse
summoning-pixel-dungeon: use default gradle
e0497b5 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
ad43134 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236

Last remaining usages removed in:
@tomodachi94 tomodachi94 mentioned this pull request Oct 30, 2024
Merged
13 tasks
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
5e71dce 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236

Last remaining usages removed in:
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Oct 30, 2024
@tomodachi94
gradle_6: drop
e45e0e2 
Unmaintained since 10 Feb 2023:
https://endoflife.date/gradle

Numerous security vulnerabilities: NixOS#352236
jmartindf pushed a commit to jmartindf/nixpkgs that referenced this pull request Nov 1, 2024
@tomodachi94 @jmartindf
summoning-pixel-dungeon: use default gradle
11dcf76 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
github-actions bot pushed a commit to Mic92/nixpkgs that referenced this pull request Nov 3, 2024
@tomodachi94 @Mic92
summoning-pixel-dungeon: use default gradle
4ef9d76 
Upstream has made it possible to use a recent version of Gradle,
thanks to some patches:
* "1.2.6: changed JVM args to be compatible with Java 17"
    -> This is not directly applied, as it fails to apply cleanly; we use substituteInPlace instead
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@c8a6fdd

* "1.2.6: updated desktop build script for Gradle 7.0+"
    -> TrashboxBobylev/Summoning-Pixel-Dungeon@5610142

Additionally, allows this package to keep working after NixOS#352236
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lorenzleutgeb lorenzleutgeb Awaiting requested review from lorenzleutgeb

@liff liff Awaiting requested review from liff

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 Backport PR automatically
Projects
None yet
Milestone
No milestone
2 participants
@tomodachi94 @emilazy