[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [platform-dev] backporting and building?
|
Hi Tony,
> I hadn’t tried just replacing org.apache.ant 1.10.7 with 1.10.8 in the
> product after the build was complete.
> I guess that approach should work, is that what you mean?
Yes that's essentially what I mean. There are different options you
could check:
1) You product does not really need ant but pull it in as a transitive
dependency -> you can simply delete the ant.jar after the build
2) Your product does not need ant, but some module reference it for code
you never run -> you can delete the ant.jar and patch the manifest of
the requiring bundle to have only optional dependency to ant
3) Ant is an essential part of your product -> you could replace the
ant.jar, patch manifest headers of references
All this will happen AFTER the actual build process is done.
Beside this you should make some kind of risk-analysis if your product
is really affected by this vulnerability. The CVE describes a (in my
opinion) relative hypothetical scenario:
1) You must run your app on a shared host with untrusted clients
2) All clients share the same temp-dir and have unlimied access to all
files placed there
3) builds run on a regular basis and the kind of builds allows an
attacker to actually inject usable code-parts
IMO the easiest way if someone suspects this as a valid attac-vector
(independent of ant or whatever tooling) is to configure default temp
directories to reside in a user-protected area. The same is true for
(possible) any shared area e.g. maven repository cache and so on...
Am 09.06.20 um 02:19 schrieb Homer, Tony:
Hi Christoph-
Honestly, I hadn't thought of that.
I was trying to patch the build and I got an error:
[ERROR] Missing requirement: org.eclipse.platform.feature.group 4.15.0.v20200305-0155 requires 'org.eclipse.equinox.p2.iu; org.apache.ant [1.10.7.v20190926-0324,1.10.7.v20190926-0324]' but it could not be found
I hadn’t tried just replacing org.apache.ant 1.10.7 with 1.10.8 in the product after the build was complete.
I guess that approach should work, is that what you mean?
I'll give it a try, thanks!
Tony
On 6/7/20 , 9:18 PM, "platform-dev-bounces@xxxxxxxxxxx on behalf of Christoph Läubrich" <platform-dev-bounces@xxxxxxxxxxx on behalf of laeubi@xxxxxxxxxxxxxx> wrote:
Just wondering:
You wrote that you are having a RCP application, won't it be easier to
simply patch the ant version in your final product?
Am 07.06.20 um 16:44 schrieb Homer, Tony:
> Hi Dani-
>
> Thanks for responding.
>
> Yes, updating to Ant 1.10.8 mitigates
> https://nvd.nist.gov/vuln/detail/CVE-2020-1945, which is what I need to do.
>
> Tony Homer
>
> *From: *<platform-dev-bounces@xxxxxxxxxxx> on behalf of Daniel Megert
> <daniel_megert@xxxxxxxxxx>
> *Reply-To: *"Eclipse platform general developers list."
> <platform-dev@xxxxxxxxxxx>
> *Date: *Sunday, June 7, 2020 at 1:23 AM
> *To: *"Eclipse platform general developers list." <platform-dev@xxxxxxxxxxx>
> *Subject: *Re: [platform-dev] backporting and building?
>
> Hi Tony
>
> That commit only changes the Ant version in a test class. Is this really
> what you want to backport?
>
> Dani
>
>
>
> From: "Homer, Tony" <tony.homer@xxxxxxxxx>
> To: "platform-dev@xxxxxxxxxxx" <platform-dev@xxxxxxxxxxx>
> Date: 06.06.2020 22:51
> Subject: [EXTERNAL] [platform-dev] backporting and building?
> Sent by: platform-dev-bounces@xxxxxxxxxxx
>
> ------------------------------------------------------------------------
>
> I have an RCP product that is currently building against 4.15 and due to
> release timing I cannot update to 4.16 until after the current release
> cycle.
>
> I’d like to backport this fix to 4.15:
>
> https://git.eclipse.org/c/platform/eclipse.platform.git/commit/?id=4a27c8ad20b921af8df9731037aa756d70d6875f
>
> Applying the patch is no problem, but I’ve never built platform before.
>
> I’m not sure if I need to check out all the repos or can just checkout
> one of them.
>
> I’m not sure what build command to use.
>
> I looked for instructions, but there are none listed on the developer
> resources page:
>
> https://projects.eclipse.org/projects/eclipse.platform/developer
>
> I also looked at ci and it helped with the build command, but I couldn’t
> work out what I need to do to setup my environment:
>
> https://ci.eclipse.org/linuxtools/job/linuxtools-master/142/console
>
> Is there a doc that explains which repos to checkout and what build
> command to use?
>
> Thanks!
>
> Tony Homer_______________________________________________
> platform-dev mailing list
> platform-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/platform-dev
>
>
>
>
> _______________________________________________
> platform-dev mailing list
> platform-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
>
_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev