Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [platform-dev] backporting and building? 
Hi Tony,

> I hadn’t tried just replacing org.apache.ant 1.10.7 with 1.10.8 in the
> product after the build was complete.
> I guess that approach should work, is that what you mean?
Yes that's essentially what I mean. There are different options you could check:
1) You product does not really need ant but pull it in as a transitive dependency -> you can simply delete the ant.jar after the build 2) Your product does not need ant, but some module reference it for code you never run -> you can delete the ant.jar and patch the manifest of the requiring bundle to have only optional dependency to ant 3) Ant is an essential part of your product -> you could replace the ant.jar, patch manifest headers of references 

All this will happen AFTER the actual build process is done.
Beside this you should make some kind of risk-analysis if your product is really affected by this vulnerability. The CVE describes a (in my opinion) relative hypothetical scenario: 

1) You must run your app on a shared host with untrusted clients
2) All clients share the same temp-dir and have unlimied access to all files placed there 3) builds run on a regular basis and the kind of builds allows an attacker to actually inject usable code-parts
IMO the easiest way if someone suspects this as a valid attac-vector (independent of ant or whatever tooling) is to configure default temp directories to reside in a user-protected area. The same is true for (possible) any shared area e.g. maven repository cache and so on... 
Am 09.06.20 um 02:19 schrieb Homer, Tony:

Hi Christoph-

Honestly, I hadn't thought of that.

I was trying to patch the build and I got an error:
[ERROR] Missing requirement: org.eclipse.platform.feature.group 4.15.0.v20200305-0155 requires 'org.eclipse.equinox.p2.iu; org.apache.ant [1.10.7.v20190926-0324,1.10.7.v20190926-0324]' but it could not be found

I hadn’t tried just replacing org.apache.ant 1.10.7 with 1.10.8 in the product after the build was complete.
I guess that approach should work, is that what you mean?

I'll give it a try, thanks!
Tony

On 6/7/20 , 9:18 PM, "platform-dev-bounces@xxxxxxxxxxx on behalf of Christoph Läubrich" <platform-dev-bounces@xxxxxxxxxxx on behalf of laeubi@xxxxxxxxxxxxxx> wrote:

     Just wondering:

     You wrote that you are having a RCP application, won't it be easier to
     simply patch the ant version in your final product?

     Am 07.06.20 um 16:44 schrieb Homer, Tony:
     > Hi Dani-
     >
     > Thanks for responding.
     >
     > Yes, updating to Ant 1.10.8 mitigates
     > https://nvd.nist.gov/vuln/detail/CVE-2020-1945, which is what I need to do.
     >
     > Tony Homer
     >
     > *From: *<platform-dev-bounces@xxxxxxxxxxx> on behalf of Daniel Megert
     > <daniel_megert@xxxxxxxxxx>
     > *Reply-To: *"Eclipse platform general developers list."
     > <platform-dev@xxxxxxxxxxx>
     > *Date: *Sunday, June 7, 2020 at 1:23 AM
     > *To: *"Eclipse platform general developers list." <platform-dev@xxxxxxxxxxx>
     > *Subject: *Re: [platform-dev] backporting and building?
     >
     > Hi Tony
     >
     > That commit only changes the Ant version in a test class. Is this really
     > what you want to backport?
     >
     > Dani
     >
     >
     >
     > From: "Homer, Tony" <tony.homer@xxxxxxxxx>
     > To: "platform-dev@xxxxxxxxxxx" <platform-dev@xxxxxxxxxxx>
     > Date: 06.06.2020 22:51
     > Subject: [EXTERNAL] [platform-dev] backporting and building?
     > Sent by: platform-dev-bounces@xxxxxxxxxxx
     >
     > ------------------------------------------------------------------------
     >
     > I have an RCP product that is currently building against 4.15 and due to
     > release timing I cannot update to 4.16 until after the current release
     > cycle.
     >
     > I’d like to backport this fix to 4.15:
     >
     > https://git.eclipse.org/c/platform/eclipse.platform.git/commit/?id=4a27c8ad20b921af8df9731037aa756d70d6875f
     >
     > Applying the patch is no problem, but I’ve never built platform before.
     >
     > I’m not sure if I need to check out all the repos or can just checkout
     > one of them.
     >
     > I’m not sure what build command to use.
     >
     > I looked for instructions, but there are none listed on the developer
     > resources page:
     >
     > https://projects.eclipse.org/projects/eclipse.platform/developer
     >
     > I also looked at ci and it helped with the build command, but I couldn’t
     > work out what I need to do to setup my environment:
     >
     > https://ci.eclipse.org/linuxtools/job/linuxtools-master/142/console
     >
     > Is there a doc that explains which repos to checkout and what build
     > command to use?
     >
     > Thanks!
     >
     > Tony Homer_______________________________________________
     > platform-dev mailing list
     > platform-dev@xxxxxxxxxxx
     > To unsubscribe from this list, visit
     > https://www.eclipse.org/mailman/listinfo/platform-dev
     >
     >
     >
     >
     > _______________________________________________
     > platform-dev mailing list
     > platform-dev@xxxxxxxxxxx
     > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
     >
     _______________________________________________
     platform-dev mailing list
     platform-dev@xxxxxxxxxxx
     To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev

_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev

Back to the top