From 839c46c31ec124fe516b2cdefbc1f1c6ff1e9432 Mon Sep 17 00:00:00 2001
From: programmer12 <964969108@qq.com>
Date: Tue, 27 Jul 2021 19:13:59 +0800
Subject: [PATCH] CVE-2019-16370

(cherry picked from commit 9708987f7916c16b377801bff814f5d43357bc84)
---
 CVE-2019-16370.patch | 29 +++++++++++++++++++++++++++++
 gradle.spec          |  6 +++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-16370.patch

diff --git a/CVE-2019-16370.patch b/CVE-2019-16370.patch
new file mode 100644
index 0000000..4e9a62d
--- /dev/null
+++ b/CVE-2019-16370.patch
@@ -0,0 +1,29 @@
+From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+Date: Tue, 10 Sep 2019 14:37:35 +0300
+Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
+ artifacts
+
+PGP signs a digest, so MITM is still possible provided an attacker can update
+the artifact in such a way that its SHA1 is intact.
+
+Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
+
+Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+---
+ .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+index 5e022b5b5d077..3e212fe4a93d8 100644
+--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
++++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+@@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg
+ 
+     public PGPSignatureGenerator createSignatureGenerator() {
+         try {
+-            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
++            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
+             generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+             return generator;
+         } catch (PGPException e) {
diff --git a/gradle.spec b/gradle.spec
index 0f09e35..657fe7c 100644
--- a/gradle.spec
+++ b/gradle.spec
@@ -1,7 +1,7 @@
 %bcond_with bootstrap
 Name:                gradle
 Version:             4.4.1
-Release:             1
+Release:             2
 Summary:             Build automation tool
 License:             ASL 2.0
 URL:                 http://www.gradle.org/
@@ -40,6 +40,7 @@ Patch0015:           0015-Disable-docs-build.patch
 Patch0016:           0016-Port-to-guava-20.0.patch
 Patch0017:           0017-Set-core-api-source-level-to-8.patch
 Patch0018:           0018-Use-HTTPS-for-GoogleAPIs-repository.patch
+Patch0019:           CVE-2019-16370.patch
 BuildRequires:       git
 %if %{with bootstrap}
 BuildRequires:       groovy >= 2.3 javapackages-local
@@ -237,6 +238,9 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1
 %license LICENSE NOTICE
 
 %changelog
+* Tue Jul 27 2021 liwu <liwu13@huawei.com> - 4.4.1-2
+- fix CVE-2019-16370
+
 * Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1
 - upgrade to 4.4.1-1
 
-- 
Gitee