pyrox.dev
gradle_6: mark very insecure (#352236)
+12
-2
pkgs/development/tools/build-managers/gradle/default.nix
+12
-2
pkgs/development/tools/build-managers/gradle/default.nix
···
23
23
"x86_64-darwin"
24
24
"x86_64-linux"
25
25
"x86_64-windows"
26
-
]
26
+
],
27
+
28
+
# Extra attributes to be merged into the resulting derivation's
29
+
# meta attribute.
30
+
meta ? {}
27
31
}:
28
32
29
33
{ lib
···
172
176
license = licenses.asl20;
173
177
maintainers = with maintainers; [ lorenzleutgeb liff ];
174
178
mainProgram = "gradle";
175
-
};
179
+
} // meta;
176
180
});
177
181
178
182
# NOTE: Default JDKs that are hardcoded below must be LTS versions
···
195
199
version = "6.9.4";
196
200
hash = "sha256-PiQCKFON6fGHcqV06ZoLqVnoPW7zUQFDgazZYxeBOJo=";
197
201
defaultJava = jdk11;
202
+
meta.knownVulnerabilities = [
203
+
"CVE-2021-29429: '[...]files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle[...]'"
204
+
"CVE-2021-29427: '[...]there is a vulnerability which can lead to information disclosure and/or dependency poisoning[...] In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file.'"
205
+
"CVE-2021-29428: '[...]the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.'"
206
+
"CVE-2021-32751: '[...]start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script[...]'"
207
+
];
198
208
};
199
209
200
210
wrapGradle = {