diff --git a/gradle-CVE-2023-35947.patch b/gradle-CVE-2023-35947.patch new file mode 100644 index 0000000000000000000000000000000000000000..fdcf819943a8521e56214f6ff069c62e15e69fd0 --- /dev/null +++ b/gradle-CVE-2023-35947.patch @@ -0,0 +1,74 @@ +Patch for CVE-2023-35947 (bsc#1212931) gradle: unpacking Tar +archives could create files outside of the unpack location + +Derived from upstream commits +1096b309520a8c315e3b6109a6526de4eabcb879 and +2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 + +With this patch, Gradle will refuse to handle Tar archives which +contain path traversal elements in a Tar entry name. This resolves +CVE-2023-35947. + +--- +--- a/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java ++++ b/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java +@@ -231,6 +231,10 @@ public class TarFileTree implements Mini + public int getMode() { + return entry.getMode() & 0777; + } ++ ++ protected String getEntryName() { ++ return entry.getName(); ++ } + } + + private static class NoCloseTarInputStream extends TarInputStream { +--- a/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/ZipFileTree.java ++++ b/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/ZipFileTree.java +@@ -135,6 +135,10 @@ public class ZipFileTree implements Mini + return String.format("zip entry %s!%s", originalFile, entry.getName()); + } + ++ protected String getEntryName() { ++ return entry.getName(); ++ } ++ + public void stopVisiting() { + stopFlag.set(true); + } +--- a/subprojects/core/src/main/java/org/gradle/caching/internal/tasks/TarTaskOutputPacker.java ++++ b/subprojects/core/src/main/java/org/gradle/caching/internal/tasks/TarTaskOutputPacker.java +@@ -46,6 +46,7 @@ import org.gradle.caching.internal.tasks + import org.gradle.internal.hash.HashCode; + import org.gradle.internal.hash.StreamHasher; + import org.gradle.internal.nativeplatform.filesystem.FileSystem; ++import org.gradle.wrapper.PathTraversalChecker; + + import java.io.BufferedOutputStream; + import java.io.ByteArrayOutputStream; +@@ -258,7 +259,7 @@ public class TarTaskOutputPacker impleme + long entries = 0; + while ((tarEntry = tarInput.getNextTarEntry()) != null) { + ++entries; +- String name = tarEntry.getName(); ++ String name = safeEntryName(tarEntry); + + if (name.equals(METADATA_PATH)) { + // handle origin metadata +@@ -288,6 +289,14 @@ public class TarTaskOutputPacker impleme + return new UnpackResult(originMetadata, entries, propertyFileSnapshots.build()); + } + ++ /** ++ * Returns a safe name for the name of a tar archive entry. ++ * ++ */ ++ private static String safeEntryName(TarArchiveEntry tarEntry) { ++ return PathTraversalChecker.safePathName(tarEntry.getName()); ++ } ++ + private void unpackPropertyEntry(ResolvedTaskOutputFilePropertySpec propertySpec, InputStream input, TarArchiveEntry entry, String childPath, boolean missing, ImmutableMultimap.Builder fileSnapshots) throws IOException { + File propertyRoot = propertySpec.getOutputFile(); + String propertyName = propertySpec.getPropertyName(); + + diff --git a/gradle.spec b/gradle.spec index 1936a4899d5455567b040e2203b2ffb3e07807f1..0aacf96032f7422a6b97dd6c095bc1f01311a1aa 100644 --- a/gradle.spec +++ b/gradle.spec @@ -1,7 +1,7 @@ %bcond_with bootstrap Name: gradle Version: 4.4.1 -Release: 3 +Release: 4 Summary: Build automation tool License: ASL 2.0 URL: http://www.gradle.org/ @@ -41,6 +41,7 @@ Patch0016: 0016-Port-to-guava-20.0.patch Patch0017: 0017-Set-core-api-source-level-to-8.patch Patch0018: 0018-Use-HTTPS-for-GoogleAPIs-repository.patch Patch0019: CVE-2019-16370.patch +Patch0020: gradle-CVE-2023-35947.patch BuildRequires: git %if %{with bootstrap} BuildRequires: groovy >= 2.3 javapackages-local @@ -238,6 +239,9 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1 %license LICENSE NOTICE %changelog +* Tue Aug 12 2025 ShuKun Qu - 4.4.1-4 +- Fix CVE-2023-35947 + * Wed Nov 29 2023 liyanan - 4.4.1-3 - Rebuilt for openEuler-22.03-LTS-SP3