[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ide-dev] [eclipse.org-architecture-council] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE

On Wed, Dec 6, 2017 at 10:10 AM, Max Rydahl Andersen
<manderse@xxxxxxxxxx> wrote:
>> See https://www.theregister.co.uk/2017/12/06/android_ides_vulnerable/
>> This piece of news is spreading very fast on social media. As far as I
>> understand (and I may be wrong), the security flaw mentioned here isn't in
>> Eclipse IDE itself but in ADT or some other piece of Android SDK.
>> So basically, Eclipse IDE has once again its image hurt by an issue in
>> ADT...
> All IDE's was hurt. lets not make it more bleak than it is - also be aware
> this
> issue of xml external entity leaks are not new; its been known for years to
> be
> an issue if your xml parsing don't guard itself against relative paths.
> Now it seems android toolkit is affected by it too.
>> If this happens to be the case, it would be interesting to have the
>> Eclipse
>> Foundation sending a PR to explain that Eclipse IDE itself is fine, and is
>> open for extensions, and that security flaws in extensions are only the
>> responsibility of extension providers; and warn against this kind of
>> message which tends to blame the wrong layer.
> I'm sorry but the news seem to be all balanced on this - they state it is
> affected all major IDE's (which is true) and it needs fixing. Article states
> it has been fixed, but do we know if Eclipse ADT has been fixed ?
> On marketplace its listed as having no updates since 20160-11-07
> (https://marketplace.eclipse.org/content/android-development-tools-eclipse)
> Question is now if like happened with Eclipse Class Decompiler - if Eclipse
> should
> remove ADT from marketplace ? See
> https://eclipse.org/org/press-release/20170814_security_bulletin.php

If there is no one to update ADT - it must be removed, I don't see other path.

> /max
> _______________________________________________
> ide-dev mailing list
> ide-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/ide-dev

Alexander Kurtakov
Red Hat Eclipse Team