Bug 1212931 (CVE-2023-35947)

Summary: VUL-0: CVE-2023-35947: gradle: unpacking Tar archives could create files outside of the unpack location
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Gus Kenion <gus.kenion>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gus.kenion, postadal, security-team, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (gus.kenion)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/371011/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-35947:6.9:(AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-07-03 06:09:21 UTC 
CVE-2023-35947

Gradle is a build tool with a focus on build automation and support for
multi-language development. In affected versions when unpacking Tar archives,
Gradle did not check that files could be written outside of the unpack location.
This could lead to important files being overwritten anywhere the Gradle process
has write permissions. For a build reading Tar entries from a Tar archive, this
issue could allow Gradle to disclose information from sensitive files through an
arbitrary file read. To exploit this behavior, an attacker needs to either
control the source of an archive already used by the build or modify the build
to interact with a malicious archive. It is unlikely that this would go
unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against
this vulnerability. Starting from these versions, Gradle will refuse to handle
Tar archives which contain path traversal elements in a Tar entry name. Users
are advised to upgrade. There are no known workarounds for this vulnerability.



### Impact

This is a path traversal vulnerability when Gradle deals with Tar archives,
often referenced as TarSlip, a variant of ZipSlip.

* When unpacking Tar archives, Gradle did not check that files could be written
outside of the unpack location. This could lead to important files being
overwritten anywhere the Gradle process has write permissions.
* For a build reading Tar entries from a Tar archive, this issue could allow
Gradle to disclose information from sensitive files through an arbitrary file
read.

To exploit this behavior, an attacker needs to either control the source of an
archive already used by the build or modify the build to interact with a
malicious archive. It is unlikely that this would go unnoticed.

Gradle uses Tar archives for its [Build
Cache](https://docs.gradle.org/current/userguide/build_cache.html). These
archives are safe when created by Gradle. But if an attacker had control of a
remote build cache server, they could inject malicious build cache entries that
leverage this vulnerability. This attack vector could also be exploited if a
man-in-the-middle can be performed between the remote cache and the build.

### Patches

A fix has been released in Gradle 7.6.2 and 8.2 to protect against this
vulnerability. Starting from these versions, Gradle will refuse to handle Tar
archives which contain path traversal elements in a Tar entry name.

It is recommended that users upgrade to a patched version.

### Workarounds

There is no workaround.

* If your build deals with Tar archives that you do not fully trust, you need to
inspect them to confirm they do not attempt to leverage this vulnerability.
* If you use the Gradle remote build cache, make sure only trusted parties have
write access to it and that connections to the remote cache are properly
secured.

### References

* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')](https://cwe.mitre.org/data/definitions/22.html)
* [Gradle Build
Cache](https://docs.gradle.org/current/userguide/build_cache.html)
* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-35947
https://www.cve.org/CVERecord?id=CVE-2023-35947
https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879
https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91
https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842