Bug 1184799 (CVE-2021-29429) - VUL-1: CVE-2021-29429: gradle: information disclosure through temporary directory permissions
Summary: VUL-1: CVE-2021-29429: gradle: information disclosure through temporary direc...
Status: RESOLVED FIXED
Alias: CVE-2021-29429
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Gus Kenion
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/281701/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-29429:4.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-15 11:55 UTC by Robert Frohl
Modified: 2024-04-24 21:02 UTC (History)
14 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-15 11:55:58 UTC 
rh#1949636

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

Reference:
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1949636
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29429
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29429
https://docs.gradle.org/7.0/release-notes.html#security-advisories
Comment 1 Robert Frohl 2021-04-15 12:00:18 UTC 
@Fridrich: I can;t find a official maintainer for gradle. I will assign the bugs to you for now. Let me know if this is wrong.
Comment 2 Robert Frohl 2021-04-15 13:04:44 UTC 
tracking as affected:

- SUSE:SLE-15-SP2:Update/gradle

includes openSUSE:Factory too
Comment 3 Cathy Hu 2022-08-16 13:24:42 UTC 
Reassigning to coldpool
Comment 4 Petr Gajdos 2022-08-23 10:54:16 UTC 
15sp2/gradle has the same version as Factory/gradle so in case 15sp2/gradle is affected then Factory/gradle has the issue as well.

Adding maintainers of Java:packages, the package itself does not have a maintainer defined.
Comment 10 Petr Gajdos 2023-04-28 10:07:19 UTC 
(In reply to Robert Frohl from comment #0)
> in these files can be exposed to other local users on the same system. If
> you do not use the `TextResourceFactory` API, you are not vulnerable. As of


https://docs.gradle.org/7.3/javadoc/org/gradle/api/resources/TextResourceFactory.html

vs.

https://docs.gradle.org/4.4.1/javadoc/org/gradle/api/resources/TextResourceFactory.html
https://docs.gradle.org/4.4.1/dsl/org.gradle.api.resources.TextResourceFactory.html

TextResourceFactory is @Incubating:
https://docs.gradle.org/4.4.1/userguide/feature_lifecycle.html

I am unsure whether we have to deal with @Incubating interaces.
Comment 13 Maintenance Automation 2024-04-05 12:30:02 UTC 
SUSE-SU-2024:1119-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1145903, 1184799
CVE References: CVE-2019-15052, CVE-2021-29429
Maintenance Incident: [SUSE:Maintenance:32934](https://smelt.suse.de/incident/32934/)
Sources used:
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Enterprise Storage 7.1 (src):
 gradle-4.4.1-150200.3.15.1
openSUSE Leap 15.5 (src):
 gradle-4.4.1-150200.3.15.1, gradle-bootstrap-4.4.1-150200.3.9.1
Development Tools Module 15-SP5 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 gradle-4.4.1-150200.3.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 gradle-4.4.1-150200.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Gus Kenion 2024-04-24 21:02:40 UTC 
This vulnerability has been addressed in an update; please see previous comment.