Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Releases should not depend on insecure or untrusted code #855

Closed
JLLeitschuh opened this issue Feb 18, 2019 · 8 comments
Closed

Releases should not depend on insecure or untrusted code #855

JLLeitschuh opened this issue Feb 18, 2019 · 8 comments
Assignees
Milestone

Comments

@JLLeitschuh
Copy link

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical

POC code exists already to maliciously compromise a JAR file inflight.
See:

MITM Attacks Increasingly Common:

See:

Source Locations:

Download of Eclipse SDK:

  • buildship/build.gradle

    Lines 433 to 443 in 3348ffc

    tasks.withType(eclipsebuild.DownloadEclipseSdkTask) {
    def os = org.gradle.internal.os.OperatingSystem.current()
    def arch = System.getProperty("os.arch").contains("64") ? "64" : "32"
    if (os.windows) {
    downloadUrl = "http://builds.gradle.org:8000/eclipse/sdk/eclipse-sdk-4.4.2-windows-${arch}.zip"
    } else if (os.macOsX) {
    downloadUrl = "http://builds.gradle.org:8000/eclipse/sdk/eclipse-sdk-4.4.2-macosx-${arch}.tar.gz"
    } else if (os.linux) {
    downloadUrl = "http://builds.gradle.org:8000/eclipse/sdk/eclipse-sdk-4.4.2-linux-${arch}.tar.gz"
    }
    }
  • return "http://builds.gradle.org:8000/eclipse/sdk/eclipse-sdk-4.4.2-${currentOs}-${currentArch}.${fileFormat}"

Eclipse SDK has no checksum verification:

  • @TaskAction
    public void downloadSdk() {
    // if multiple builds start on the same machine (which is the case with a CI server)
    // we want to prevent them downloading the same file to the same destination
    def directoryLock = new FileSemaphore(targetDir)
    directoryLock.lock()
    try {
    downloadEclipseSdkUnprotected(getProject())
    } finally {
    directoryLock.unlock()
    }
    }
    private void downloadEclipseSdkUnprotected(Project project) {
    // download the archive
    File sdkArchive = eclipseSdkArchive()
    project.logger.info("Download Eclipse SDK from '${downloadUrl}' to '${sdkArchive.absolutePath}'")
    project.ant.get(src: new URL(downloadUrl), dest: sdkArchive)
    // extract it to the same location where it was extracted
    project.logger.info("Extract '$sdkArchive' to '$sdkArchive.parentFile.absolutePath'")
    if (OperatingSystem.current().isWindows()) {
    project.ant.unzip(src: sdkArchive, dest: sdkArchive.parentFile, overwrite: true)
    } else {
    project.ant.untar(src: sdkArchive, dest: sdkArchive.parentFile, compression: "gzip", overwrite: true)
    }
    // make it executable
    File exe = eclipseSdkExe()
    project.logger.info("Set '${exe}' executable")
    exe.setExecutable(true)
    }
    private File eclipseSdkArchive() {
    new File(targetDir, OperatingSystem.current().isWindows() ? 'eclipse-sdk.zip' : 'eclipse-sdk.tar.gz')
    }
    private File eclipseSdkExe() {
    new File(targetDir, Constants.eclipseExePath)
    }

Download of Gradle:

@donat
Copy link
Contributor

donat commented Mar 12, 2019

Thanks for reporting this. I'll try to fix this.

@donat donat self-assigned this Mar 12, 2019
@JLLeitschuh
Copy link
Author

Heads up, I plan to publish a public disclosure about this industry-wide vulnerability on June 10th, 2019.

@JLLeitschuh
Copy link
Author

Ping!

@donat
Copy link
Contributor

donat commented May 2, 2019

I'll take care of this before the deadline.

@JLLeitschuh
Copy link
Author

@donat This will also need a CVE issued. That can be done through @waynebeaton as the Eclipse Foundation is a CNA.

See this format as an example:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

@donat donat added this to the 3.1.1 milestone May 28, 2019
@donat
Copy link
Contributor

donat commented May 28, 2019

I've implemented the fix for this issue. See the PR ☝️.
@JLLeitschuh I trust you handle the CVE report.

@JLLeitschuh
Copy link
Author

@donat You need to file for the CVE with @waynebeaton using the Eclipse bug tracker. Since the Eclipse organization is a CNA, the Eclipse security team does the reporting. You or some other contributor needs to be the one to ask @waynebeaton to do the filing.

See this format as an example:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

@donat donat added the security label May 28, 2019
@donat donat changed the title [SECURITY] Releases are built/executed/released in the context of insecure/untrusted code Releases are built/executed/released in the context of insecure/untrusted code May 28, 2019
@donat
Copy link
Contributor

donat commented May 28, 2019

CVE request submitted: https://bugs.eclipse.org/bugs/show_bug.cgi?id=547734

@donat donat closed this as completed May 28, 2019
@donat donat changed the title Releases are built/executed/released in the context of insecure/untrusted code Releases should not depend on insecure or untrusted code Jul 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants