diff --git a/gradle-CVE-2019-15052.patch b/gradle-CVE-2019-15052.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5bd42f0ea2cb149c7935e5a38aabc01dcce8052 --- /dev/null +++ b/gradle-CVE-2019-15052.patch @@ -0,0 +1,357 @@ +--- gradle-4.4.1/subprojects/build-cache-http/src/main/java/org/gradle/caching/http/internal/DefaultHttpBuildCacheServiceFactory.java 2024-03-26 07:40:41.413892314 +0100 ++++ gradle-4.4.1/subprojects/build-cache-http/src/main/java/org/gradle/caching/http/internal/DefaultHttpBuildCacheServiceFactory.java 2024-03-26 08:16:01.318058239 +0100 +@@ -64,6 +64,7 @@ + if (credentialsPresent(credentials)) { + DefaultBasicAuthentication basicAuthentication = new DefaultBasicAuthentication("basic"); + basicAuthentication.setCredentials(credentials); ++ basicAuthentication.addHost(url.getHost(), url.getPort()); + authentications = Collections.singleton(basicAuthentication); + } + +--- gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AbstractAuthentication.java 2024-03-26 07:40:40.987222689 +0100 ++++ gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AbstractAuthentication.java 2024-03-26 08:11:51.403094079 +0100 +@@ -16,25 +16,31 @@ + + package org.gradle.internal.authentication; + ++import com.google.common.collect.Sets; + import org.gradle.api.credentials.Credentials; + import org.gradle.authentication.Authentication; + ++import java.util.Collection; ++import java.util.Objects; ++import java.util.Set; ++ + public abstract class AbstractAuthentication implements AuthenticationInternal { + private final String name; + private final Class supportedCredentialType; + private final Class type; + private Credentials credentials; + ++ private final Set hosts; ++ + public AbstractAuthentication(String name, Class type) { +- this.name = name; +- this.supportedCredentialType = null; +- this.type = type; ++ this(name, type, null); + } + + public AbstractAuthentication(String name, Class type, Class supportedCredential) { + this.name = name; + this.supportedCredentialType = supportedCredential; + this.type = type; ++ this.hosts = Sets.newHashSet(); + } + + @Override +@@ -66,4 +72,54 @@ public abstract class AbstractAuthentication implements AuthenticationInternal { + public String toString() { + return String.format("'%s'(%s)", getName(), getType().getSimpleName()); + } ++ ++ ++ @Override ++ public Collection getHostsForAuthentication() { ++ return hosts; ++ } ++ ++ ++ @Override ++ public void addHost(String host, int port) { ++ hosts.add(new DefaultHostAndPort(host, port)); ++ } ++ ++ private static class DefaultHostAndPort implements HostAndPort { ++ private final String host; ++ private final int port; ++ ++ DefaultHostAndPort(String host, int port) { ++ this.host = host; ++ this.port = port; ++ } ++ ++ @Override ++ public String getHost() { ++ return host; ++ } ++ ++ @Override ++ public int getPort() { ++ return port; ++ } ++ ++ @Override ++ public boolean equals(Object o) { ++ if (this == o) { ++ return true; ++ } ++ if (o == null || getClass() != o.getClass()) { ++ return false; ++ } ++ DefaultHostAndPort that = (DefaultHostAndPort) o; ++ return getPort() == that.getPort() && ++ Objects.equals(getHost(), that.getHost()); ++ } ++ ++ @Override ++ public int hashCode() { ++ return Objects.hash(getHost(), getPort()); ++ } ++ } + } +--- gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AuthenticationInternal.java 2024-03-26 07:40:40.987222689 +0100 ++++ gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AuthenticationInternal.java 2024-03-26 08:11:51.403094079 +0100 +@@ -20,6 +20,8 @@ + import org.gradle.api.credentials.Credentials; + import org.gradle.authentication.Authentication; + ++import java.util.Collection; ++ + @NonExtensible + public interface AuthenticationInternal extends Authentication { + boolean supports(Credentials credentials); +@@ -31,4 +33,25 @@ + Class getType(); + + boolean requiresCredentials(); ++ ++ void addHost(String host, int port); ++ ++ Collection getHostsForAuthentication(); ++ ++ interface HostAndPort { ++ ++ /** ++ * The hostname that the credentials are required for. ++ * ++ * null means "any host" ++ */ ++ String getHost(); ++ ++ /** ++ * The port that the credentials are required for ++ * ++ * -1 means "any port" ++ */ ++ int getPort(); ++ } + } +--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/AbstractAuthenticationSupportedRepository.java 2024-03-26 07:40:40.453885657 +0100 ++++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/AbstractAuthenticationSupportedRepository.java 2024-03-26 09:28:23.666252731 +0100 +@@ -21,10 +21,13 @@ + import org.gradle.api.credentials.Credentials; + import org.gradle.authentication.Authentication; + import org.gradle.internal.artifacts.repositories.AuthenticationSupportedInternal; ++import org.gradle.internal.authentication.AuthenticationInternal; + import org.gradle.internal.reflect.Instantiator; + + import javax.annotation.Nullable; ++import java.net.URI; + import java.util.Collection; ++import java.util.Collections; + + public abstract class AbstractAuthenticationSupportedRepository extends AbstractArtifactRepository implements AuthenticationSupportedInternal { + private final AuthenticationSupporter delegate; +@@ -76,6 +79,21 @@ + + @Override + public Collection getConfiguredAuthentication() { +- return delegate.getConfiguredAuthentication(); ++ Collection configuredAuthentication = delegate.getConfiguredAuthentication(); ++ ++ for (Authentication authentication : configuredAuthentication) { ++ AuthenticationInternal authenticationInternal = (AuthenticationInternal) authentication; ++ for (URI repositoryUrl : getRepositoryUrls()) { ++ // only care about HTTP hosts right now ++ if (repositoryUrl.getScheme().startsWith("http")) { ++ authenticationInternal.addHost(repositoryUrl.getHost(), repositoryUrl.getPort()); ++ } ++ } ++ } ++ return configuredAuthentication; ++ } ++ ++ protected Collection getRepositoryUrls() { ++ return Collections.emptyList(); + } + } +--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultIvyArtifactRepository.java 2024-03-26 07:40:40.453885657 +0100 ++++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultIvyArtifactRepository.java 2024-03-26 09:32:04.764408347 +0100 +@@ -15,6 +15,7 @@ + */ + package org.gradle.api.internal.artifacts.repositories; + ++import com.google.common.collect.ImmutableList; + import groovy.lang.Closure; + import org.gradle.api.Action; + import org.gradle.api.ActionConfiguration; +@@ -54,6 +55,7 @@ + import org.gradle.util.ConfigureUtil; + + import java.net.URI; ++import java.util.Collection; + import java.util.LinkedHashSet; + import java.util.Set; + +@@ -189,6 +191,31 @@ + return baseUrl == null ? null : fileResolver.resolveUri(baseUrl); + } + ++ ++ @Override ++ protected Collection getRepositoryUrls() { ++ // Ivy can resolve files from multiple hosts, so we need to look at all ++ // of the possible URLs used by the Ivy resolver to identify all of the repositories ++ ImmutableList.Builder builder = ImmutableList.builder(); ++ URI root = getUrl(); ++ if (root != null) { ++ builder.add(root); ++ } ++ for (String pattern : additionalPatternsLayout.artifactPatterns) { ++ URI baseUri = new ResolvedPattern(pattern, fileResolver).baseUri; ++ if (baseUri!=null) { ++ builder.add(baseUri); ++ } ++ } ++ for (String pattern : additionalPatternsLayout.ivyPatterns) { ++ URI baseUri = new ResolvedPattern(pattern, fileResolver).baseUri; ++ if (baseUri!=null) { ++ builder.add(baseUri); ++ } ++ } ++ return builder.build(); ++ } ++ + @Override + public void setUrl(URI url) { + baseUrl = url; +--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultMavenArtifactRepository.java 2024-03-26 07:40:40.453885657 +0100 ++++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultMavenArtifactRepository.java 2024-03-26 09:31:17.924088427 +0100 +@@ -15,12 +15,14 @@ + */ + package org.gradle.api.internal.artifacts.repositories; + ++import com.google.common.collect.ImmutableList; + import com.google.common.collect.Lists; + import org.gradle.api.InvalidUserDataException; + import org.gradle.api.Transformer; + import org.gradle.api.artifacts.repositories.AuthenticationContainer; + import org.gradle.api.artifacts.repositories.MavenArtifactRepository; + import org.gradle.api.internal.ExperimentalFeatures; ++import org.gradle.api.internal.InstantiatorFactory; + import org.gradle.api.internal.artifacts.ImmutableModuleIdentifierFactory; + import org.gradle.api.internal.artifacts.ModuleVersionPublisher; + import org.gradle.api.internal.artifacts.ivyservice.ivyresolve.ConfiguredModuleComponentRepository; +@@ -40,6 +42,7 @@ + + import java.net.URI; + import java.util.ArrayList; ++import java.util.Collection; + import java.util.LinkedHashSet; + import java.util.List; + import java.util.Set; +@@ -152,6 +155,18 @@ + return createRealResolver(); + } + ++ @Override ++ protected Collection getRepositoryUrls() { ++ // In a similar way to Ivy, Maven may use other hosts for additional artifacts, but not POMs ++ ImmutableList.Builder builder = ImmutableList.builder(); ++ URI root = getUrl(); ++ if (root != null) { ++ builder.add(root); ++ } ++ builder.addAll(getArtifactUrls()); ++ return builder.build(); ++ } ++ + protected MavenResolver createRealResolver() { + URI rootUri = getUrl(); + if (rootUri == null) { +--- gradle-4.4.1/subprojects/resources-http/src/main/java/org/gradle/internal/resource/transport/http/HttpClientConfigurer.java 2024-03-26 07:40:41.393892176 +0100 ++++ gradle-4.4.1/subprojects/resources-http/src/main/java/org/gradle/internal/resource/transport/http/HttpClientConfigurer.java 2024-03-26 09:15:06.421058834 +0100 +@@ -117,7 +117,7 @@ + + private void configureCredentials(HttpClientBuilder builder, CredentialsProvider credentialsProvider, Collection authentications) { + if(authentications.size() > 0) { +- useCredentials(credentialsProvider, AuthScope.ANY_HOST, AuthScope.ANY_PORT, authentications); ++ useCredentials(credentialsProvider, authentications); + + // Use preemptive authorisation if no other authorisation has been established + builder.addInterceptorFirst(new PreemptiveAuth(new BasicScheme(), isPreemptiveEnabled(authentications))); +@@ -131,31 +131,49 @@ + for (HttpProxySettings.HttpProxy proxy : Lists.newArrayList(httpProxy, httpsProxy)) { + if (proxy != null) { + if (proxy.credentials != null) { +- useCredentials(credentialsProvider, proxy.host, proxy.port, Collections.singleton(new AllSchemesAuthentication(proxy.credentials))); ++ AllSchemesAuthentication authentication = new AllSchemesAuthentication(proxy.credentials); ++ authentication.addHost(proxy.host, proxy.port); ++ useCredentials(credentialsProvider, Collections.singleton(authentication)); + } + } + } + builder.setRoutePlanner(new SystemDefaultRoutePlanner(ProxySelector.getDefault())); + } + +- private void useCredentials(CredentialsProvider credentialsProvider, String host, int port, Collection authentications) { +- Credentials httpCredentials; +- ++ private void useCredentials(CredentialsProvider credentialsProvider, Collection authentications) { + for (Authentication authentication : authentications) { ++ AuthenticationInternal authenticationInternal = (AuthenticationInternal) authentication; ++ + String scheme = getAuthScheme(authentication); +- PasswordCredentials credentials = getPasswordCredentials(authentication); ++ org.gradle.api.credentials.Credentials credentials = authenticationInternal.getCredentials(); ++ ++ Collection hostsForAuthentication = authenticationInternal.getHostsForAuthentication(); ++ assert !hostsForAuthentication.isEmpty() : "Credentials and authentication required for a HTTP repository, but no hosts were defined for the authentication?"; ++ ++ for (AuthenticationInternal.HostAndPort hostAndPort : hostsForAuthentication) { ++ String host = hostAndPort.getHost(); ++ int port = hostAndPort.getPort(); ++ ++ assert host != null : "HTTP credentials and authentication require a host scope to be defined as well"; ++ ++ if (credentials instanceof PasswordCredentials) { ++ PasswordCredentials passwordCredentials = (PasswordCredentials) credentials; + + if (authentication instanceof AllSchemesAuthentication) { +- NTLMCredentials ntlmCredentials = new NTLMCredentials(credentials); +- httpCredentials = new NTCredentials(ntlmCredentials.getUsername(), ntlmCredentials.getPassword(), ntlmCredentials.getWorkstation(), ntlmCredentials.getDomain()); ++ NTLMCredentials ntlmCredentials = new NTLMCredentials(passwordCredentials); ++ Credentials httpCredentials = new NTCredentials(ntlmCredentials.getUsername(), ntlmCredentials.getPassword(), ntlmCredentials.getWorkstation(), ntlmCredentials.getDomain()); + credentialsProvider.setCredentials(new AuthScope(host, port, AuthScope.ANY_REALM, AuthSchemes.NTLM), httpCredentials); + +- LOGGER.debug("Using {} and {} for authenticating against '{}:{}' using {}", credentials, ntlmCredentials, host, port, AuthSchemes.NTLM); ++ LOGGER.debug("Using {} and {} for authenticating against '{}:{}' using {}", passwordCredentials, ntlmCredentials, host, port, AuthSchemes.NTLM); + } + +- httpCredentials = new UsernamePasswordCredentials(credentials.getUsername(), credentials.getPassword()); ++ Credentials httpCredentials = new UsernamePasswordCredentials(passwordCredentials.getUsername(), passwordCredentials.getPassword()); + credentialsProvider.setCredentials(new AuthScope(host, port, AuthScope.ANY_REALM, scheme), httpCredentials); +- LOGGER.debug("Using {} for authenticating against '{}:{}' using {}", credentials, host, port, scheme); ++ LOGGER.debug("Using {} for authenticating against '{}:{}' using {}", passwordCredentials, host, port, scheme); ++ } else { ++ throw new IllegalArgumentException(String.format("Credentials must be an instance of: %s", PasswordCredentials.class.getCanonicalName())); ++ } ++ } + } + } + +@@ -256,11 +274,10 @@ + CredentialsProvider credentialsProvider = (CredentialsProvider) context.getAttribute(HttpClientContext.CREDS_PROVIDER); + HttpHost targetHost = (HttpHost) context.getAttribute(HttpCoreContext.HTTP_TARGET_HOST); + Credentials credentials = credentialsProvider.getCredentials(new AuthScope(targetHost.getHostName(), targetHost.getPort())); +- if (credentials == null) { +- throw new HttpException("No credentials for preemptive authentication"); +- } ++ if (credentials != null) { + authState.update(authScheme, credentials); + } + } + } ++ } + } diff --git a/gradle.spec b/gradle.spec index 1936a4899d5455567b040e2203b2ffb3e07807f1..b72761a06c023f07e53305d8c62e21223cd376c3 100644 --- a/gradle.spec +++ b/gradle.spec @@ -1,7 +1,7 @@ %bcond_with bootstrap Name: gradle Version: 4.4.1 -Release: 3 +Release: 4 Summary: Build automation tool License: ASL 2.0 URL: http://www.gradle.org/ @@ -41,6 +41,8 @@ Patch0016: 0016-Port-to-guava-20.0.patch Patch0017: 0017-Set-core-api-source-level-to-8.patch Patch0018: 0018-Use-HTTPS-for-GoogleAPIs-repository.patch Patch0019: CVE-2019-16370.patch +Patch0020: gradle-CVE-2019-15052.patch + BuildRequires: git %if %{with bootstrap} BuildRequires: groovy >= 2.3 javapackages-local @@ -238,6 +240,9 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1 %license LICENSE NOTICE %changelog +* Tue Aug 12 2025 ShuKun Qu - 4.4.1-4 +- Fix CVE-2019-15052 + * Wed Nov 29 2023 liyanan - 4.4.1-3 - Rebuilt for openEuler-22.03-LTS-SP3 @@ -248,4 +253,4 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1 - upgrade to 4.4.1-1 * Fri Dec 13 2019 daiqianwen - 4.3.1-10 -- Package init +- Package init \ No newline at end of file