packages/gradle
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2019-16370

Browse Source
This commit is contained in:
programmer12 2021-07-27 19:13:59 +08:00
parent 6a65ae890c
commit 9708987f79
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2019-16370.patch Normal file
View File

@ -0,0 +1,29 @@
From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Tue, 10 Sep 2019 14:37:35 +0300
Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
artifacts
PGP signs a digest, so MITM is still possible provided an attacker can update
the artifact in such a way that its SHA1 is intact.
Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
---
.../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
index 5e022b5b5d077..3e212fe4a93d8 100644
--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
@@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg
public PGPSignatureGenerator createSignatureGenerator() {
try {
- PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
+ PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
return generator;
} catch (PGPException e) {

6
gradle.spec
View File

@ -1,7 +1,7 @@
%bcond_with bootstrap %bcond_with bootstrap
Name: gradle Name: gradle
Version: 4.4.1 Version: 4.4.1
Release: 1 Release: 2
Summary: Build automation tool Summary: Build automation tool
License: ASL 2.0 License: ASL 2.0
URL: http://www.gradle.org/ URL: http://www.gradle.org/
@ -40,6 +40,7 @@ Patch0015: 0015-Disable-docs-build.patch
Patch0016: 0016-Port-to-guava-20.0.patch Patch0016: 0016-Port-to-guava-20.0.patch
Patch0017: 0017-Set-core-api-source-level-to-8.patch Patch0017: 0017-Set-core-api-source-level-to-8.patch
Patch0018: 0018-Use-HTTPS-for-GoogleAPIs-repository.patch Patch0018: 0018-Use-HTTPS-for-GoogleAPIs-repository.patch
Patch0019: CVE-2019-16370.patch
BuildRequires: git BuildRequires: git
%if %{with bootstrap} %if %{with bootstrap}
BuildRequires: groovy >= 2.3 javapackages-local BuildRequires: groovy >= 2.3 javapackages-local
@ -237,6 +238,9 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1
%license LICENSE NOTICE %license LICENSE NOTICE
%changelog %changelog
* Tue Jul 27 2021 liwu <liwu13@huawei.com> - 4.4.1-2
- fix CVE-2019-16370
* Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1 * Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1
- upgrade to 4.4.1-1 - upgrade to 4.4.1-1