Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=519169 https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1572381]
The upstream bug you cite shows that the Android tooling component called "Andmore" is affected and we do not ship that component in any Fedora or RHEL product. Can you show that vulnerability exists in any component that we do ship? If not I would like to close this as NOTABUG.
I can not find any actionable public information about the flaw, and the upstream bug is restricted. The original report from Checkpoint does not provide any details on how and where Eclipse is affected. As you have access to the upstream bug, can you point out upstream fix for this, if it was fixed already? Checkpoint report indicates issues were reported to relevant upstreams about a year ago. However, I could not find anything obviously related in the Andmore git repo, and there's very little activity there at all. So wonder if this remains unfixed upstream.
The upstream bug is against andmore/core so definetely not smth we should care about as we do not ship it.
The relevant changes in APKTool seems to be these: https://github.com/iBotPeaches/Apktool/commit/f19317d87c316ed254aafa0a27eddd024e25ec6c https://github.com/iBotPeaches/Apktool/commit/657a44f5938b072898a0de913c03760210e0f4ed https://github.com/iBotPeaches/Apktool/commit/dbb144f9af5478c780e59c8b65036ae882595063
What is the status of the upstream bug? Is it open with no fix committed or proposed?
Open with no fix committed or proposed - yes.
This affects Eclipse Andmore project, which is not included in Eclipse packages included in Red Hat products.