CVE-2019-16370

2021-07-27 19:13:59 +08:00 · 2021-07-27 19:13:59 +08:00 · 9708987f79
commit 9708987f79
parent 6a65ae890c
2 changed files with 34 additions and 1 deletions
--- a/CVE-2019-16370.patch
+++ b/CVE-2019-16370.patch
@ -0,0 +1,29 @@
+From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+Date: Tue, 10 Sep 2019 14:37:35 +0300
+Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
+ artifacts
+
+PGP signs a digest, so MITM is still possible provided an attacker can update
+the artifact in such a way that its SHA1 is intact.
+
+Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
+
+Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+---
+ .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+index 5e022b5b5d077..3e212fe4a93d8 100644
+--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+@@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg
+ 
+     public PGPSignatureGenerator createSignatureGenerator() {
+         try {
+-            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
+            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
+             generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+             return generator;
+         } catch (PGPException e) {
--- a/gradle.spec
+++ b/gradle.spec
@ -1,7 +1,7 @@
 %bcond_with bootstrap
 Name:                gradle
 Version:             4.4.1
-Release:             1
+Release:             2
 Summary:             Build automation tool
 License:             ASL 2.0
 URL:                 http://www.gradle.org/
@ -40,6 +40,7 @@ Patch0015:           0015-Disable-docs-build.patch
 Patch0016:           0016-Port-to-guava-20.0.patch
 Patch0017:           0017-Set-core-api-source-level-to-8.patch
 Patch0018:           0018-Use-HTTPS-for-GoogleAPIs-repository.patch
+Patch0019:           CVE-2019-16370.patch
 BuildRequires:       git
 %if %{with bootstrap}
 BuildRequires:       groovy >= 2.3 javapackages-local
@ -237,6 +238,9 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1
 %license LICENSE NOTICE

 %changelog
+* Tue Jul 27 2021 liwu <liwu13@huawei.com> - 4.4.1-2
+- fix CVE-2019-16370
+
 * Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1
 - upgrade to 4.4.1-1