Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
I agree that we don't want to make this sound more bleak than it really is. But if this bug is in ADT (a Google product) and not the open source Eclipse IDE which is provided by the Eclipse Foundation and community, we may want to publicly clarify that. 

Can someone confirm that is the case?

On 2017-12-06 3:10 AM, Max Rydahl Andersen wrote:

See https://www.theregister.co.uk/2017/12/06/android_ides_vulnerable/
This piece of news is spreading very fast on social media. As far as I
understand (and I may be wrong), the security flaw mentioned here isn't in 
Eclipse IDE itself but in ADT or some other piece of Android SDK.
So basically, Eclipse IDE has once again its image hurt by an issue in
ADT...
All IDE's was hurt. lets not make it more bleak than it is - also be aware this issue of xml external entity leaks are not new; its been known for years to be 
an issue if your xml parsing don't guard itself against relative paths.

Now it seems android toolkit is affected by it too.
If this happens to be the case, it would be interesting to have the Eclipse Foundation sending a PR to explain that Eclipse IDE itself is fine, and is 
open for extensions, and that security flaws in extensions are only the
responsibility of extension providers; and warn against this kind of
message which tends to blame the wrong layer.


I'm sorry but the news seem to be all balanced on this - they state it is
affected all major IDE's (which is true) and it needs fixing. Article states 
it has been fixed, but do we know if Eclipse ADT has been fixed ?
On marketplace its listed as having no updates since 20160-11-07 (https://marketplace.eclipse.org/content/android-development-tools-eclipse)
Question is now if like happened with Eclipse Class Decompiler - if Eclipse should remove ADT from marketplace ? See https://eclipse.org/org/press-release/20170814_security_bulletin.php 

/max
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation.  To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal. 


--
Mike Milinkovich
mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx
(m) +1.613.220.3223

Back to the top