Does anyone have any additional information about ...
# androida
andreasmattsson
02/03/2022, 2:19 PMDoes anyone have any additional information about the Kotlin vulnerability reported in the Q4 2020 Security Bulletin?
We have developed an Android app for a client, and as part of security verification need to run a OWASP dependency check, and the only thing that came back flagged that appears on our app's runtime dependencies is CVE-2020-29582.
Unfortunately there is very little information on this, and the referenced issue KT-42181 is either private or unexistent.
andreasmattsson
02/03/2022, 2:23 PMIt would be nice verify if this issue is actually applicable to our app (and other Android apps), and if there are any mitigations or fixes that can be applied beyond upgrading to a later Kotlin runtime?
Upgrading the Kotlin runtime is on our roadmap, but unfortunately we have custom code generation logic dependent on Kotlin internal serialization behavior that has changed between major releases. So in our cases that is a nontrivial thing to do, and we would hope to get this app accepted and released before that.
e
ephemient
02/03/2022, 7:27 PMthe reporter @jlleitschuh is here, fyi
ephemient
02/03/2022, 7:29 PMI have no details but in general, these filesystem issues are only vulnerable when there are other programs outside your control with concurrent access to the same location that you are working in, which is rarely ever the case on Android
j
jlleitschuh
02/03/2022, 7:31 PMI agree with your sentiment. I've complained to JetBrains about this in the past. They do a really terrible job at disclosing vulnerabilities fully.
jlleitschuh
02/03/2022, 7:33 PMGive me a second, I'll publish my own disclosure RE this issue
jlleitschuh
02/03/2022, 7:43 PMThe same vulnerability exists in Google Guava. The Google team deprecated the method instead of fixing it.
jlleitschuh
02/03/2022, 7:43 PMThe Jetbrains team did the same thing here
jlleitschuh
02/03/2022, 7:51 PMHere's the published disclosure for that: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-5w9v-8x7x-rfqm
a
andreasmattsson
02/03/2022, 8:14 PMThank you so much @jlleitschuh, that is immensely helpful to us!
j
jlleitschuh
02/03/2022, 8:17 PMIf it's relevant, here's the same issue in Google Guava:
https://github.com/google/guava/issues/4011
👍 1
a
andreasmattsson
02/03/2022, 8:17 PMThank you too @ephemient, I suspected as much, that the types of file system operations involved would be unlikely to impact Android apps with any "normal" API usage. But I was beginning to lose any hope of being able to confirm it.
j
jlleitschuh
02/03/2022, 8:17 PMDepends what versions of android you are using
jlleitschuh
02/03/2022, 8:19 PMThere's a long thread about the impact of this kind of vulnerability potentially on android here:
https://github.com/google/guava/issues/4011#issuecomment-769975829
jlleitschuh
02/03/2022, 8:21 PMe
ephemient
02/03/2022, 8:24 PMthanks for the additional information. minSdk=18 covers ~99.5% of active devices so I think my prior statement "rarely ever the case on Android" can be justified 🙂
👍 1
a
andreasmattsson
02/03/2022, 8:25 PMAre you aware of any Kotlin API or functionality @jlleitschuh that make use of any of those methods internally? We don't make use of any Kotlin stdlib file operations at runtime in our app, but I guess we should make doubly sure none of our library dependencies do either.
(we have minSdk 23, and target/compile sdk 30, if it matters)
j
jlleitschuh
02/03/2022, 8:25 PMNot an android developer, most of those things don't mean much to me unfortunately. I rely upon others for information RE android
a
andreasmattsson
02/03/2022, 8:26 PMOkay. It's getting late here, but I'll definitely be diving deeper into those links tomorrow. Thanks again for providing me a good starting point!
j
jlleitschuh
02/03/2022, 8:27 PMFrom @ilya.gorbunov in the private discusson on that issue:
> We'll however investigate whether these functions were used in the Kotlin codebase and issue a CVE if we find those places vulnerable.
Just a heads-up: we've fixed usages of these functions in the Kotlin codebase and shipped this change with Kotlin 1.4.21. Now we're waiting for a CVE number to be assigned.Link not public, but anyone from Jetbrains who's curious and wants to refresh their memory: https://youtrack.jetbrains.com/issue/KT-42181#focus=Comments-27-4614214.0-0
jlleitschuh
02/03/2022, 8:27 PMSo, it looks like those methods were in use other places, but they never explicitly communicated which methods were impacted to me
jlleitschuh
02/03/2022, 8:28 PMIf you have additional information you dig up, I'm happy to add it to my advisory
a
andreasmattsson
02/03/2022, 8:29 PMIf I find anything I'll make sure to report back. But yeah, better still would be if JetBrains themselves were more forthright in their communication about this sort of thing.
andreasmattsson
02/03/2022, 8:46 PMA quick cursory glance using the built in IntelliJ code usage tools indicates our project has usages of that method at compile time via the Kotlin Gradle DSL, but I find nothing using those methods in the normal runtime stdlib. Probably not applicable to the android versions we target anyway, but feels better still if we don't touch any affected APIs at all. May also add a ArchUnit test as well as you suggested in that thread.
j
jlleitschuh
02/03/2022, 8:53 PMOn older versions of Gradle, that vulnerability existed in Gradle itself because of it's own use of the system temporary directory:
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
jlleitschuh
02/03/2022, 8:54 PMNot a huge risk assuming you're all running your Gradle builds on systems that don't have multiple users
👍 1
4 Views