-
Bug
-
Resolution: Fixed
-
P4
-
jfx17
-
generic
-
generic
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8272841 | jfx11.0.13 | Ambarish Rapte | P4 | Resolved | Fixed |
The Gradle Wrapper can verify the downloaded distribution with a SHA-256 hash sum comparison, but the Wrapper in the OpenJFX repository is not configured to do so. See the section "Verification of downloaded Gradle distributions" at:
The Gradle Wrapper
https://docs.gradle.org/current/userguide/gradle_wrapper.html
SYSTEM / OS / JAVA RUNTIME INFORMATION
My particular system is Ubuntu 20.04.2 LTS with OpenJDK 11.
------------------------------------------------------------------------
$ uname -srm
Linux 5.4.0-65-generic x86_64
$ getconf GNU_LIBC_VERSION
glibc 2.31
$ java --version
openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
------------------------------------------------------------------------
STEPS TO REPRODUCE
Simulate a tampered Gradle distribution by modifying the 'gradle-6.3-bin.zip' file. Force the Gradle Wrapper to check the downloaded file by removing the 'gradle-6.3-bin.zip.ok' file.
These files are found under my home directory in the locations shown below:
------------------------------------------------------------------------
$ find .gradle -name "gradle-6.3-bin.zip*" | sort
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.lck
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.ok
------------------------------------------------------------------------
I modified the JAR file without corrupting its archive by changing the sixth byte from '0x00' to '0x01' with the 'hexedit' program as follows:
------------------------------------------------------------------------
Before: 50 4B 03 04 0A 00 00 08 ...
After: 50 4B 03 04 0A 01 00 08 ...
------------------------------------------------------------------------
EXPECTED RESULTS
A tampered Gradle 6.3 distribution is detected:
------------------------------------------------------------------------
$ bash gradlew --version
Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
Verification of Gradle distribution failed!
Your Gradle distribution may have been tampered with.
Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties
file is correct and you are downloading the wrapper from a trusted source.
Distribution Url: https://services.gradle.org/distributions/gradle-6.3-bin.zip
Download Location: /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
Expected checksum: '038794feef1f4745c6347107b6726279d1c824f3fc634b60f86ace1e9fbd1768'
Actual checksum: '74a13e00995b49b2e7b1888818c24cd79f333dc12b21e07952796fc8b18e070f'
------------------------------------------------------------------------
ACTUAL RESULT
A tampered Gradle 6.3 distribution is not detected:
------------------------------------------------------------------------
$ bash gradlew --version
Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
------------------------------------------------------------
Gradle 6.3
------------------------------------------------------------
Build time: 2020-03-24 19:52:07 UTC
Revision: bacd40b727b0130eeac8855ae3f9fd9a0b207c60
Kotlin: 1.3.70
Groovy: 2.5.10
Ant: Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM: 11.0.10 (Ubuntu 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OS: Linux 5.4.0-65-generic amd64
------------------------------------------------------------------------
SOURCE CODE FOR AN EXECUTABLE TEST CASE
None.
WORKAROUND
To work around the problem, you could download the Gradle 6.3 distribution, verify its checksum manually, and use that instead of the Gradle Wrapper.
You could also manually verify the distribution archive that was downloaded by the Gradle Wrapper, but that may be after it has already extracted and run the distribution.
The Gradle Wrapper
https://docs.gradle.org/current/userguide/gradle_wrapper.html
SYSTEM / OS / JAVA RUNTIME INFORMATION
My particular system is Ubuntu 20.04.2 LTS with OpenJDK 11.
------------------------------------------------------------------------
$ uname -srm
Linux 5.4.0-65-generic x86_64
$ getconf GNU_LIBC_VERSION
glibc 2.31
$ java --version
openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
------------------------------------------------------------------------
STEPS TO REPRODUCE
Simulate a tampered Gradle distribution by modifying the 'gradle-6.3-bin.zip' file. Force the Gradle Wrapper to check the downloaded file by removing the 'gradle-6.3-bin.zip.ok' file.
These files are found under my home directory in the locations shown below:
------------------------------------------------------------------------
$ find .gradle -name "gradle-6.3-bin.zip*" | sort
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.lck
.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.ok
------------------------------------------------------------------------
I modified the JAR file without corrupting its archive by changing the sixth byte from '0x00' to '0x01' with the 'hexedit' program as follows:
------------------------------------------------------------------------
Before: 50 4B 03 04 0A 00 00 08 ...
After: 50 4B 03 04 0A 01 00 08 ...
------------------------------------------------------------------------
EXPECTED RESULTS
A tampered Gradle 6.3 distribution is detected:
------------------------------------------------------------------------
$ bash gradlew --version
Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
Verification of Gradle distribution failed!
Your Gradle distribution may have been tampered with.
Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties
file is correct and you are downloading the wrapper from a trusted source.
Distribution Url: https://services.gradle.org/distributions/gradle-6.3-bin.zip
Download Location: /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
Expected checksum: '038794feef1f4745c6347107b6726279d1c824f3fc634b60f86ace1e9fbd1768'
Actual checksum: '74a13e00995b49b2e7b1888818c24cd79f333dc12b21e07952796fc8b18e070f'
------------------------------------------------------------------------
ACTUAL RESULT
A tampered Gradle 6.3 distribution is not detected:
------------------------------------------------------------------------
$ bash gradlew --version
Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
------------------------------------------------------------
Gradle 6.3
------------------------------------------------------------
Build time: 2020-03-24 19:52:07 UTC
Revision: bacd40b727b0130eeac8855ae3f9fd9a0b207c60
Kotlin: 1.3.70
Groovy: 2.5.10
Ant: Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM: 11.0.10 (Ubuntu 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OS: Linux 5.4.0-65-generic amd64
------------------------------------------------------------------------
SOURCE CODE FOR AN EXECUTABLE TEST CASE
None.
WORKAROUND
To work around the problem, you could download the Gradle 6.3 distribution, verify its checksum manually, and use that instead of the Gradle Wrapper.
You could also manually verify the distribution archive that was downloaded by the Gradle Wrapper, but that may be after it has already extracted and run the distribution.
- backported by
-
JDK-8272841 Configure Gradle checksum verification
-
- Resolved
-
- relates to
-
JDK-8263204 Add Gradle Wrapper Validation Action
-
- Resolved
-
-
JDK-8264010 Add Gradle dependency verification
-
- Resolved
-
- links to
-
Commit openjdk/jfx11u/80c06708
-
Commit openjdk/jfx/dc342d33
-
Review openjdk/jfx11u/49
-
Review openjdk/jfx/411
(2 links to)