Re: [ide-dev] [eclipse.org-architecture-council] Security flaw in ADT is

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [ide-dev] [eclipse.org-architecture-council] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE

From: "Torkild U. Resheim" <torkildr@xxxxxxxxx>
Date: Wed, 6 Dec 2017 15:19:13 +0100
Delivered-to: ide-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/ide-dev>
List-help: <mailto:ide-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/ide-dev>, <mailto:ide-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/ide-dev>, <mailto:ide-dev-request@eclipse.org?subject=unsubscribe>

In the original story[1] they state:

"Our research below illustrates how we exploited these tools to gain access to internal files. Since this research, Check Point reported the discovery to APKTool developers and the other IDE companies back in May 2017. In turn, Google and JetBrains have verified and acknowledged the security issues and have since effectively deployed a fix.»

It would be nice to have the original report, if it exists.

It appears to me that the issue described is caused by Apache Xerces in relation to APKTool and that the solution is to disable external entity references. I believe an example of the latter is here[2]

[1] https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
[2] https://github.com/eclipse/mylyn.docs/blob/de0f7848eebada1a42d3db4447be591ef9119d0a/epub/core/org.eclipse.mylyn.docs.epub.core/src/org/eclipse/mylyn/docs/epub/internal/OPSValidator.java#L50

Best regards,
Torkild

> 6. des. 2017 kl. 08:37 skrev Mickael Istria <mistria@xxxxxxxxxx>:
> 
> Hi all,
> 
> See https://www.theregister.co.uk/2017/12/06/android_ides_vulnerable/
> This piece of news is spreading very fast on social media. As far as I understand (and I may be wrong), the security flaw mentioned here isn't in Eclipse IDE itself but in ADT or some other piece of Android SDK.
> So basically, Eclipse IDE has once again its image hurt by an issue in ADT...
> If this happens to be the case, it would be interesting to have the Eclipse Foundation sending a PR to explain that Eclipse IDE itself is fine, and is open for extensions, and that security flaws in extensions are only the responsibility of extension providers; and warn against this kind of message which tends to blame the wrong layer.
> 
> Cheers,
> --
> Mickael Istria
> Eclipse IDE developer, at Red Hat Developers community
> Elected Committer Representative at the Eclipse Foundation board of directors
> _______________________________________________
> eclipse.org-architecture-council mailing list
> eclipse.org-architecture-council@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
> 
> IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation.  To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.

Attachment: signature.asc
Description: Message signed with OpenPGP

References:
- [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
  - From: Mickael Istria

Prev by Date: Re: [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
Next by Date: Re: [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
Previous by thread: Re: [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
Next by thread: Re: [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
Index(es):
- Date
- Thread

Breadcrumbs