CVE-2019-16370.patch

@@ -1,29 +0,0 @@
-From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
-From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
-Date: Tue, 10 Sep 2019 14:37:35 +0300
-Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
- artifacts
-
-PGP signs a digest, so MITM is still possible provided an attacker can update
-the artifact in such a way that its SHA1 is intact.
-
-Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
-
-Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
----
- .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java  | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
-index 5e022b5b5d077..3e212fe4a93d8 100644
---- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
-+++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
-@@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg
- 
-     public PGPSignatureGenerator createSignatureGenerator() {
-         try {
--            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
-+            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
-             generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
-             return generator;
-         } catch (PGPException e) {

gradle-bootstrap-generate-resources.py

@@ -0,0 +1,134 @@
+#!/usr/bin/python
+#
+# Parse Gradle module structure and generate resource files which are
+# used to bootstrap Gradle.
+#
+# First file, gradle-bootstrap-module-list, contains list of Gradle
+# modules sorted by dependencies.  First module doesn't depend on any
+# other module.  All subsequent modules can depend only on modules
+# listed above them.  This is the order in which modules should be
+# compiled.
+#
+# A second file, gradle-bootstrap-module-dependencies, contains list
+# of dependecies for each module.
+#
+# Author: Mikolaj Izdebski <mizdebsk@redhat.com>
+
+import re
+import sys
+from glob import glob
+from zipfile import ZipFile
+
+
+def read_property(jar_path, props_name, prop_key):
+    prefix = prop_key + "="
+    prefix_len = len(prefix)
+    with ZipFile(jar_path) as jar:
+        with jar.open(props_name, "rU") as props:
+            for line in [line.rstrip() for line in props.readlines()]:
+                if line.startswith(prefix) and line[prefix_len:]:
+                    return line[prefix_len:]
+
+
+class GradleModule(object):
+    def __init__(self, path):
+        self.name = re.match(r'.*/(.+)-[0-9.]*jar', path).group(1)
+        self.path = path
+        self.dependencies = []
+
+    def read_dependencies(self):
+        projects = read_property(self.path, self.name + "-classpath.properties", "projects")
+        if projects:
+            self.dependencies = projects.split(",")
+
+    def __eq__(self, other):
+        return self.name == other.name
+
+    def __hash__(self):
+        return hash(self.name)
+
+
+# Read all Gradle modules from given Gradle home directory
+def read_gradle_modules(gradle_home):
+    paths = []
+    for pattern in ["/lib/gradle-*.jar", "/lib/plugins/gradle-*.jar"]:
+        paths.extend(glob(gradle_home + pattern))
+
+    return [GradleModule(path) for path in paths]
+
+
+# Resolve module dependencies to concrete modules
+def resolve_dependencies(modules, mapping):
+    for module in modules:
+        module.read_dependencies()
+        resolved_deps = []
+        for dep in module.dependencies:
+            resolved_dep = mapping.get(dep, None)
+            if not resolved_dep:
+                raise RuntimeError("Unresolved dependency from %s to %s" % (module.name, dep))
+            resolved_deps.append(resolved_dep)
+        module.dependencies = resolved_deps
+
+
+# Sort modules in-situ, placing them in dependency order
+def topological_sort(modules):
+    not_visited = set(modules)
+    visiting = set()
+    del modules[:]
+
+    def visit(module):
+        visiting.add(module)
+        for dependency in module.dependencies:
+            if dependency in visiting:
+                raise RuntimeError("module dependency cycle detected")
+            if dependency in not_visited:
+                visit(dependency)
+        modules.append(module)
+        not_visited.remove(module)
+        visiting.remove(module)
+
+    while not_visited:
+        visit(next(iter(not_visited)))
+
+    return modules
+
+
+# Extract a single resource from given module
+def extract_resource(module, resource, target_file):
+    with ZipFile(module.path) as jar:
+        with open(target_file, "w") as f:
+            f.write(jar.read(resource))
+
+
+if len(sys.argv) != 2:
+    sys.exit("Missing argument, usage: %s <path-to-unpacked-gradle-binary-distribution>" % sys.argv[0])
+gradle_home = sys.argv[1]
+
+modules = read_gradle_modules(gradle_home)
+if not modules:
+    sys.exit("Unable to find any Gradle modules in specifed location")
+
+module_mapping = dict((module.name, module) for module in modules)
+
+resolve_dependencies(modules, module_mapping)
+
+topological_sort(modules)
+
+
+# Generate file with sorted module list
+with open("gradle-bootstrap-module-list", "w") as f:
+    for module in modules:
+        f.write("%s\n" % module.name)
+
+# Generate file with module dependencies
+with open("gradle-bootstrap-module-dependencies", "w") as f:
+    for module in modules:
+        f.write("%s=%s\n" % (module.name, ",".join(dep.name for dep in module.dependencies)))
+
+# Extract some other resoures from Gradle JARs
+extract_resource(module_mapping["gradle-docs"], "api-mapping.txt", "gradle-bootstrap-api-mapping.txt")
+extract_resource(module_mapping["gradle-docs"], "default-imports.txt", "gradle-bootstrap-default-imports.txt")
+extract_resource(module_mapping["gradle-core"], "gradle-plugins.properties", "gradle-bootstrap-plugin.properties")
+extract_resource(module_mapping["gradle-core"], "gradle-implementation-plugins.properties", "gradle-bootstrap-implementation-plugin.properties")
+extract_resource(module_mapping["gradle-runtime-api-info"], "org/gradle/api/internal/runtimeshaded/api-relocated.txt", "gradle-bootstrap-api-relocated.txt")
+extract_resource(module_mapping["gradle-runtime-api-info"], "org/gradle/api/internal/runtimeshaded/test-kit-relocated.txt", "gradle-bootstrap-test-kit-relocated.txt")

gradle.spec

@@ -1,27 +1,28 @@
 %bcond_with bootstrap
 Name:                gradle
 Version:             4.4.1
-Release:             4
+Release:             1
 Summary:             Build automation tool
 License:             ASL 2.0
 URL:                 http://www.gradle.org/
 BuildArch:           noarch
-Source0:             https://github.com/gradle/gradle/archive/v%{version}.zip
+Source0:             http://services.gradle.org/distributions/gradle-%{version}-src.zip
 Source1:             http://services.gradle.org/versions/all#/all-released-versions.json
 Source2:             gradle-font-metadata.xml
 Source3:             gradle-jquery-metadata.xml
 Source4:             gradle-launcher.sh
 Source5:             gradle.desktop
 Source6:             gradle-man.txt
-Source7:             gradle-bootstrap.sh
+Source9900:          gradle-bootstrap.sh
-Source8:             gradle-bootstrap-module-list
+Source9901:          gradle-bootstrap-generate-resources.py
-Source9:             gradle-bootstrap-module-dependencies
+Source9910:          gradle-bootstrap-module-list
-Source10:            gradle-bootstrap-api-mapping.txt
+Source9911:          gradle-bootstrap-module-dependencies
-Source11:            gradle-bootstrap-default-imports.txt
+Source9920:          gradle-bootstrap-api-mapping.txt
-Source12:            gradle-bootstrap-plugin.properties
+Source9921:          gradle-bootstrap-default-imports.txt
-Source13:            gradle-bootstrap-implementation-plugin.properties
+Source9922:          gradle-bootstrap-plugin.properties
-Source14:            gradle-bootstrap-api-relocated.txt
+Source9923:          gradle-bootstrap-implementation-plugin.properties
-Source15:            gradle-bootstrap-test-kit-relocated.txt
+Source9924:          gradle-bootstrap-api-relocated.txt
+Source9925:          gradle-bootstrap-test-kit-relocated.txt
 Patch0001:           0001-Gradle-local-mode.patch
 Patch0002:           0002-Remove-Class-Path-from-manifest.patch
 Patch0003:           0003-Implement-XMvn-repository-factory-method.patch
@@ -40,7 +41,7 @@ Patch0015:           0015-Disable-docs-build.patch
 Patch0016:           0016-Port-to-guava-20.0.patch
 Patch0017:           0017-Set-core-api-source-level-to-8.patch
 Patch0018:           0018-Use-HTTPS-for-GoogleAPIs-repository.patch
-Patch0019:           CVE-2019-16370.patch
+BuildRequires:       git
 %if %{with bootstrap}
 BuildRequires:       groovy >= 2.3 javapackages-local
 %else
@@ -155,7 +156,7 @@ choice for many open source projects, leading edge enterprises and
 legacy automation challenges.
 
 %prep
-%autosetup -p1
+%autosetup -S git
 rm -rf gradle/wrapper/
 >subprojects/diagnostics/src/main/resources/org/gradle/api/tasks/diagnostics/htmldependencyreport/jquery.jstree.js
 mkdir -p build
@@ -175,20 +176,17 @@ rm -r subprojects/resources-gcs
 rm -r subprojects/ide-native
 
 %build
-%if "%{_arch}" == "riscv64"
-export JAVA_TOOL_OPTIONS="-Xmx4096m"
-%endif
 export LANG=en_US.UTF8
 %if %{with bootstrap}
 mkdir -p subprojects/docs/src/main/resources
 mkdir -p subprojects/core/src/main/resources/org/gradle/api/internal/runtimeshaded
-cp %{SOURCE10} subprojects/docs/src/main/resources/api-mapping.txt
+cp %{SOURCE9920} subprojects/docs/src/main/resources/api-mapping.txt
-cp %{SOURCE11} subprojects/docs/src/main/resources/default-imports.txt
+cp %{SOURCE9921} subprojects/docs/src/main/resources/default-imports.txt
-cp %{SOURCE12} subprojects/core/src/main/resources/gradle-plugins.properties
+cp %{SOURCE9922} subprojects/core/src/main/resources/gradle-plugins.properties
-cp %{SOURCE13} subprojects/core/src/main/resources/gradle-implementation-plugins.properties
+cp %{SOURCE9923} subprojects/core/src/main/resources/gradle-implementation-plugins.properties
-cp %{SOURCE14} subprojects/core/src/main/resources/org/gradle/api/internal/runtimeshaded/api-relocated.txt
+cp %{SOURCE9924} subprojects/core/src/main/resources/org/gradle/api/internal/runtimeshaded/api-relocated.txt
-cp %{SOURCE15} subprojects/core/src/main/resources/org/gradle/api/internal/runtimeshaded/test-kit-relocated.txt
+cp %{SOURCE9925} subprojects/core/src/main/resources/org/gradle/api/internal/runtimeshaded/test-kit-relocated.txt
-%{SOURCE7} %{SOURCE8} %{SOURCE9}
+%{SOURCE9900} %{SOURCE9910} %{SOURCE9911}
 %else
 rm gradle.properties
 gradle-local --offline --no-daemon install xmvnInstall \
@@ -240,17 +238,5 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1
 %license LICENSE NOTICE
 
 %changelog
-* Tue Apr 16 2024 Dingli Zhang <dingli@iscas.ac.cn> - 4.4.1-4
-- Add -Xmx4096m for riscv64
-
-* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 4.4.1-3
-- DESC: delete -S git from %autosetup, and delete BuildRequires git
-
-* Tue Jul 27 2021 liwu <liwu13@huawei.com> - 4.4.1-2
-- fix CVE-2019-16370
-
 * Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1
-- upgrade to 4.4.1-1
-
-* Fri Dec 13 2019 daiqianwen <daiqianwen@huawei.com> - 4.3.1-10
 - Package init