2242485 – (CVE-2023-44387) CVE-2023-44387 gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations

Bug 2242485 (CVE-2023-44387) - CVE-2023-44387 gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations

Summary: CVE-2023-44387 gradle: Incorrect permission assignment for symlinked files us...

Keywords:
Status:	NEW
Alias:	CVE-2023-44387
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2242486
Blocks:	2242482
TreeView+	depends on / blocked

Reported:	2023-10-06 14:03 UTC by Patrick Del Bello
Modified:	2024-02-01 03:42 UTC (History)
CC List:	46 users (show)
Fixed In Version:	gradle 7.6.3, gradle 8.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Gradle. When copying files or creating archives, Gradle does not preserve symbolic links, instead resolving them to their underlying target file, but permissions of the new file use those of the link instead of those from the target file. This issue can lead to files with broader permissions than intended, as symbolic links are usually world-readable and writeable.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7678	0	None	None	None	2023-12-06 23:30:56 UTC

Description Patrick Del Bello 2023-10-06 14:03:12 UTC

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.

https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9
https://github.com/gradle/gradle/releases/tag/v7.6.3
https://github.com/gradle/gradle/releases/tag/v8.4.0
https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7

Comment 6 errata-xmlrpc 2023-12-06 23:30:53 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
chfoley
cmiranda
darran.lofthouse
dhanak
dkreling
dosoudil
eric.wittmann
fjuma
fmongiar
hhorak
ibek
ivassile
iweiss
janstey
jnethert
jorton
jrokos
jscholz
kverlaen
lgao
mizdebsk
mnovotny
mosmerov
msochure
mstefank
msvehla
nwallace
pantinor
pcongius
peholase
pjindal
pmackay
rguimara
rstancel
saroy
smaestri
swoodman
tom.jenkinson