Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade gradle to fix security vulnerabilities #138336

Closed
2 tasks done
ZorinFoss opened this issue Nov 13, 2023 · 4 comments
Closed
2 tasks done

Upgrade gradle to fix security vulnerabilities #138336

ZorinFoss opened this issue Nov 13, 2023 · 4 comments
Assignees
@camsim99
Labels
c: proposal A detailed proposal for a change to Flutter infra: security Security-related infra issues P1 High-priority issues at the top of the work list platform-android Android applications specifically r: fixed Issue is closed as already fixed in a newer version t: gradle "flutter build" and "flutter run" on Android team-android Owned by Android platform team tool Affects the "flutter" command-line tool. See also t: labels. triaged-android Triaged by Android platform team

Comments

@ZorinFoss
Copy link

Is there an existing issue for this?

Use case

Hi,

The current gradle version in flutter v3.13.9 is 7.6.1 which contain security vulnerabilities.

Proposal

Upgrade gradle to v7.6.3 or even v8.4 if it possible
@danagbemava-nc danagbemava-nc added in triage Presently being triaged by the triage team platform-android Android applications specifically tool Affects the "flutter" command-line tool. See also t: labels. t: gradle "flutter build" and "flutter run" on Android c: proposal A detailed proposal for a change to Flutter team-android Owned by Android platform team and removed in triage Presently being triaged by the triage team labels Nov 13, 2023
@reidbaker
Copy link
Contributor

Can you elaborate on the security risk so we can understand the urgency?

@reidbaker reidbaker added the infra: security Security-related infra issues label Nov 13, 2023
@ZorinFoss
Copy link
Author

Greadle v7.6.3

fix these security vulnerabilities:

Incorrect permission assignment for symlinked files used in copy or archiving operations
Possible local text file exfiltration by XML External entity injection

It also fixes the following issues:

gradle/gradle#25781 Backport finalized task performance fix to 7.6.x
gradle/gradle#25802 Backport cgroups fix to 7.6.x

Gradle v7.6.2

fix these security vulnerabilities:

Dependency cache path traversal
Path traversal vulnerabilities in handling of Tar archives

It also fixes the following issues:

gradle/gradle#23201 Backport dependency upgrades to 7.x
gradle/gradle#23202 Backport Scala incremental compilation fixes
gradle/gradle#23325 Backport JSoup update to resolve GHSA-gp7f-rwcx-9369
gradle/gradle#23458 Backport JUnit5 dynamic test logging bug fix
gradle/gradle#23681 Dependency graph resolution: Equivalent excludes can cause un-necessary graph mutations [backport 7.x]
gradle/gradle#23922 Backport "Use Compiler API data for incremental compilation after a failure" to 7.x
gradle/gradle#23951 Exclude rule merging: missing optimization [Backport 7.x]
gradle/gradle#24132 Extending an already resolved configuration no longer works correctly [backport 7.x]
gradle/gradle#24234 7.6.1 breaks gradle-consistent-versions
gradle/gradle#24390 Gradle 7.4 fails on multi release jar's with JDK 19 code
gradle/gradle#24439 Gradle complains about invalid tool chain - picking up the source package location - it should just ignore them [Backport]
gradle/gradle#24443 Maven artifact referenced only in dependency constraints raises IllegalStateException: Corrupt serialized resolution result [backport]
gradle/gradle#24901 Backport fix for test exception that cannot be deserialized to 7.x

@mossmana mossmana added P1 High-priority issues at the top of the work list triaged-android Triaged by Android platform team labels Nov 16, 2023
This was referenced Nov 30, 2023
Merged
Merged
auto-submit bot pushed a commit that referenced this issue Dec 7, 2023
@camsim99
[Android] Bump template & integration test Gradle version to 7.6.4 (#…
1fa54ea 
…139276)

Updates Gradle version for Flutter project templates and integration tests to at least 7.6.3 (changed all of those with versions below it) to fix security vulnerability.

Part of fix for #138336.
auto-submit bot pushed a commit to flutter/packages that referenced this issue Dec 13, 2023
@camsim99
[Android] Bump Gradle version to 7.6.3 (#5522)
2b53f72 
Part of fix for flutter/flutter#138336 by bumping the Gradle version of all package example apps (plus `image_picker_android` plugin) to 7.6.3 from those that had a version below that to fix security vulnerability.

Also fixes a bug I found while using the `update-dependencies` packages tool command that caused it to not catch all of the `gradle-wrapper.properties` files when running with the `gradle` dependency + added a test for the fix.
foxtrotravi pushed a commit to foxtrotravi/packages that referenced this issue Dec 14, 2023
@camsim99 @foxtrotravi
[Android] Bump Gradle version to 7.6.3 (flutter#5522)
c5a739e 
Part of fix for flutter/flutter#138336 by bumping the Gradle version of all package example apps (plus `image_picker_android` plugin) to 7.6.3 from those that had a version below that to fix security vulnerability.

Also fixes a bug I found while using the `update-dependencies` packages tool command that caused it to not catch all of the `gradle-wrapper.properties` files when running with the `gradle` dependency + added a test for the fix.
@camsim99
Copy link
Contributor

Fixed by flutter/packages#5522 and #139276!

@danagbemava-nc danagbemava-nc added the r: fixed Issue is closed as already fixed in a newer version label Dec 18, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 1, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@camsim99 camsim99

Labels
c: proposal A detailed proposal for a change to Flutter infra: security Security-related infra issues P1 High-priority issues at the top of the work list platform-android Android applications specifically r: fixed Issue is closed as already fixed in a newer version t: gradle "flutter build" and "flutter run" on Android team-android Owned by Android platform team tool Affects the "flutter" command-line tool. See also t: labels. triaged-android Triaged by Android platform team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mossmana @reidbaker @camsim99 @danagbemava-nc @ZorinFoss