gradle_6: mark very insecure (161e9a32) · Commits · nix / nixpkgs

pkgs/development/tools/build-managers/gradle/default.nix

+12 −2

Original line number	Diff line number	Diff line
		@@ -23,7 +23,11 @@ rec {
		"x86_64-darwin"
		"x86_64-linux"
		"x86_64-windows"
		]
		],

		# Extra attributes to be merged into the resulting derivation's
		# meta attribute.
		meta ? {}
		}:

		{ lib
		@@ -172,7 +176,7 @@ rec {
		license = licenses.asl20;
		maintainers = with maintainers; [ lorenzleutgeb liff ];
		mainProgram = "gradle";
		};
		} // meta;
		});

		# NOTE: Default JDKs that are hardcoded below must be LTS versions
		@@ -195,6 +199,12 @@ rec {
		version = "6.9.4";
		hash = "sha256-PiQCKFON6fGHcqV06ZoLqVnoPW7zUQFDgazZYxeBOJo=";
		defaultJava = jdk11;
		meta.knownVulnerabilities = [
		"CVE-2021-29429: '[...]files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle[...]'"
		"CVE-2021-29427: '[...]there is a vulnerability which can lead to information disclosure and/or dependency poisoning[...] In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file.'"
		"CVE-2021-29428: '[...]the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.'"
		"CVE-2021-32751: '[...]start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script[...]'"
		];
		};

		wrapGradle = {