Bug 1698510

Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-29]
Product: [Fedora] Fedora Reporter: Marian Rehak <mrehak>
Component: gradleAssignee: Stewardship SIG <stewardship-sig>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 30CC: dan, decathorpe, fcami, java-sig-commits, jjelen, lkundrak, mhroncok, mizdebsk, stewardship-sig
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gradle-4.3.1-9.fc29 gradle-4.4.1-4.fc30 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 01:01:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1657836, 1675056    
Bug Blocks: 1698508    

Description Marian Rehak 2019-04-10 14:04:34 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When submitting as an update, use the fedpkg template provided in the next
comment(s).  This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.

Comment 1 Marian Rehak 2019-04-10 14:04:35 UTC
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug.  This will ensure that all associated bugs get updated
when new packages are pushed to stable.

=====

# bugfix, security, enhancement, newpackage (required)
type=security

# low, medium, high, urgent (required)
severity=high

# testing, stable
request=testing

# Bug numbers: 1234,9876
bugs=1698508,1698510

# Description of your update
notes=Security fix for [PUT CVEs HERE]

# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3

# Automatically close bugs when this marked as stable
close_bugs=True

# Suggest that users restart after update
suggest_reboot=False

======

Additionally, you may opt to use the bodhi web interface to submit updates:

https://bodhi.fedoraproject.org/updates/new

Comment 2 Mikolaj Izdebski 2019-04-10 15:32:28 UTC
I've commited fixes for Fedora 28 and 29.
Fedora 30 and rawhide are blocked on FTBFS.

Comment 3 Fabio Valentini 2019-04-10 15:34:49 UTC
I suspect the Stewardship SIG will talk about the f30/rawhide situation during our next meeting.

Comment 4 Mikolaj Izdebski 2019-04-10 17:33:24 UTC
Build failed on ARM32 with OOM: https://koji.fedoraproject.org/koji/taskinfo?taskID=34101529
I'll try to resubmit it until I hit a 64-bit builder.

Comment 5 Fedora Update System 2019-04-10 17:42:59 UTC
gradle-4.3.1-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9c15101fb

Comment 6 Fedora Update System 2019-04-12 03:56:06 UTC
gradle-4.3.1-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9c15101fb

Comment 7 Fedora Update System 2019-05-21 02:20:08 UTC
gradle-4.3.1-9.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Mikolaj Izdebski 2019-08-09 10:08:06 UTC
Fedora 28 and 29 were fixed in version 4.3.1 release 9, but Fedora 30 and later are still vulnerable.
I'm reassigning the bug to package owner since I don't maintain Gradle in affected Fedora versions.

Comment 9 Miro Hrončok 2019-08-09 14:31:50 UTC
Oh I thought we did this when we rebuilt gradle :(

We should really at least do it in F30.

Comment 10 Fabio Valentini 2019-08-09 14:51:11 UTC
I'll try to work on this later.

Miro, do you remember which version of gradle I would have to submit as buildroot override to actually build the patched version?

Comment 11 Miro Hrončok 2019-08-09 15:01:17 UTC
gradle-4.3.1-8.fc29

Comment 12 Fabio Valentini 2019-08-09 20:46:14 UTC
It looks like that trick doesn't work in released fedora:
Invalid build.  It must be tagged as either candidate or testing.

:(

Comment 13 Miro Hrončok 2019-08-09 21:55:00 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1657836#c3

> Possible workaround:
> 
> Tag gradle-4.3.1 into rawhide before building newver version of gradle.
> 
> $ koji tag-build f31-pending gradle-4.3.1-8.fc29
> $ koji wait-repo f31-build --build=gradle-4.3.1-8.fc29
> $ fedpkg build
> 
> For F30:
> 
> $ koji tag-build f30-updates-candidate gradle-4.3.1-8.fc29
> $ bodhi overrides save gradle-4.3.1-8.fc29 --wait
> $ fedpkg build

Comment 15 Miro Hrončok 2019-08-09 21:56:46 UTC
$ koji tag-build f31-pending gradle-4.3.1-8.fc29 --force
Created task 36893514
Watching tasks (this may be safely interrupted)...
36893514 tagBuild (noarch): open (buildvm-29.phx2.fedoraproject.org)
36893514 tagBuild (noarch): open (buildvm-29.phx2.fedoraproject.org) -> closed
  0 free  0 open  1 done  0 failed

36893514 tagBuild (noarch) completed successfully

Comment 16 Fedora Update System 2019-08-10 01:59:24 UTC
FEDORA-2019-1b6383acdd has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1b6383acdd

Comment 17 Fabio Valentini 2019-08-10 02:01:32 UTC
Thanks Miro, you're a Hero :+1:

The patched version is submitted to fedora 30, but I can't actually update it on rawhide because of unresolved dependencies. And honestly I don't care about gradle anymore, since it's probably going to be retired soon.

Comment 18 Fedora Update System 2019-08-11 02:20:20 UTC
gradle-4.4.1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1b6383acdd

Comment 19 Fedora Update System 2019-08-19 01:01:55 UTC
gradle-4.4.1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.