-
Bug
-
Resolution: Fixed
-
P4
-
jfx17
-
generic
-
generic
Any system that builds an OpenJFX pull request can be compromised by malicious code hidden inside the Gradle Wrapper JAR file. See the following page for details:
Gradle Wrapper Validation Action
https://github.com/gradle/wrapper-validation-action
SYSTEM / OS / JAVA RUNTIME INFORMATION
My particular system is Ubuntu 20.04 LTS with OpenJDK 11.
------------------------------------------------------------------------
$ uname -srm
Linux 5.4.0-66-generic x86_64
$ getconf GNU_LIBC_VERSION
glibc 2.31
$ java --version
openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
------------------------------------------------------------------------
STEPS TO REPRODUCE
Create a pull request with a tampered Gradle Wrapper.
EXPECTED RESULTS
The tampered Gradle Wrapper is detected and the JavaFX pre-submit tests on GitHub fail.
ACTUAL RESULT
The tampered Gradle Wrapper goes undetected.
SOURCE CODE FOR AN EXECUTABLE TEST CASE
I modified the current Gradle Wrapper JAR file with the command:
------------------------------------------------------------------------
$ strip-nondeterminism -v gradle-wrapper.jar
strip-nondeterminism: Not using a canonical time
strip-nondeterminism: Using normalizers:
bflt cpio gettext gzip jar javadoc javaproperties jmod png uimage zip
Normalizing gradle-wrapper.jar
------------------------------------------------------------------------
WORKAROUND
The workaround is to check every pull request for the file 'gradle/wrapper/gradle-wrapper.jar' and manually verify its checksum before building the branch. The checksums are listed on the following page:
Gradle distribution and wrapper JAR checksum reference
https://gradle.org/release-checksums/
Gradle Wrapper Validation Action
https://github.com/gradle/wrapper-validation-action
SYSTEM / OS / JAVA RUNTIME INFORMATION
My particular system is Ubuntu 20.04 LTS with OpenJDK 11.
------------------------------------------------------------------------
$ uname -srm
Linux 5.4.0-66-generic x86_64
$ getconf GNU_LIBC_VERSION
glibc 2.31
$ java --version
openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
------------------------------------------------------------------------
STEPS TO REPRODUCE
Create a pull request with a tampered Gradle Wrapper.
EXPECTED RESULTS
The tampered Gradle Wrapper is detected and the JavaFX pre-submit tests on GitHub fail.
ACTUAL RESULT
The tampered Gradle Wrapper goes undetected.
SOURCE CODE FOR AN EXECUTABLE TEST CASE
I modified the current Gradle Wrapper JAR file with the command:
------------------------------------------------------------------------
$ strip-nondeterminism -v gradle-wrapper.jar
strip-nondeterminism: Not using a canonical time
strip-nondeterminism: Using normalizers:
bflt cpio gettext gzip jar javadoc javaproperties jmod png uimage zip
Normalizing gradle-wrapper.jar
------------------------------------------------------------------------
WORKAROUND
The workaround is to check every pull request for the file 'gradle/wrapper/gradle-wrapper.jar' and manually verify its checksum before building the branch. The checksums are listed on the following page:
Gradle distribution and wrapper JAR checksum reference
https://gradle.org/release-checksums/
- relates to
-
-
- Resolved
-
-
-
- Resolved
-
