2174854 – (CVE-2023-26053) CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks

Bug 2174854 (CVE-2023-26053) - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks

Summary: CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subjec...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-26053
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2174844
TreeView+	depends on / blocked

Reported:	2023-03-02 14:03 UTC by Borja Tarraso
Modified:	2023-11-14 17:26 UTC (History)
CC List:	23 users (show)
Fixed In Version:	gradle 6.9.4, gradle 7.6.1, gradle 8.0
Doc Type:	---
Doc Text:	A flaw was found in Gradle when verifying long IDs of 64 bits for PGP keys in the trusted key or PGP element. This flaw allows an attacker to exploit this issue and collision the dependency verification.
Clone Of:
Environment:
Last Closed:	2023-06-29 15:52:19 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3809	0	None	None	None	2023-06-29 11:09:53 UTC

Description Borja Tarraso 2023-03-02 14:03:11 UTC

This is a collision attack on long IDs (64bits) for PGP keys.

Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a trusted-key or pgp element in their dependency verification metadata file.

Grandle between 6.2 to 7.6 are impacted by this issue.

Comment 1 Chess Hazlett 2023-03-09 22:30:02 UTC

quarkus looks to rebundle gradle in its launcher; amq-st ships a wrapper but not the actual code

Comment 4 errata-xmlrpc 2023-06-29 11:09:50 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809

Comment 5 Product Security DevOps Team 2023-06-29 15:52:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-26053

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
fjuma
ivassile
iweiss
lgao
mosmerov
msochure
msvehla
nwallace
peholase
pjindal
pmackay
rstancel
smaestri
tom.jenkinson