Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 324223

Summary: Security Vulnerabilities in Eclipse Help
Product: [Eclipse Project] Platform Reporter: Mike Milinkovich <mike.milinkovich>
Component: User AssistanceAssignee: platform-ua-inbox <platform-ua-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: P3 CC: cgold, daniel_megert, duongn, jeffmcaffer, john.arthorne, Mike_Wilson, mober.at+eclipse, remy.suen, wayne.beaton
Version: 3.6   
Target Milestone: 3.6.1   
Hardware: PC   
OS: Windows Vista   
Whiteboard:

Description Mike Milinkovich CLA 2010-09-01 12:21:43 EDT 
There are several security vulnerabilities in Eclipse Help (Platform) that can potentially allow hackers to exploit the Help System to deliver malware and spyware to unsuspecting Eclipse users. These are discussed in the following bugs:

bug 320548 
bug 320547 
bug 322374 
bug 319344 
bug 317055 
bug 254575 
bug 223539 
bug 271049 
bug 233466 
bug 320424 

The fixes are in the 3.6.1 stream which will be released in September. The changes have also been released into the 3.4 and 3.5 maintenance streams. 

I would like to have a discussion as to whether it is reasonable that these bugs remain unfixed until 3.6.1. Should we be considering a re-spin?
Comment 1 John Arthorne CLA 2010-09-01 13:39:50 EDT 
Our final scheduled 3.6.1 build is today, with potentially one more build next week if needed. So, 3.6.1 is almost done and a full release containing the fixes will be available soon (September 24 according to simultaneous release schedule). In a recent PMC meeting we discussed other possible options for releasing something sooner but didn't settle on an approach. Since the release is already close I think we decided to just release them in 3.6.1 and in the longer term investigate a mechanism for delivering security patches in the future. Since these bugs have been around for several years, another week or two doesn't make much difference.

Having said that, here are some options for getting something out sooner:

1) Declare our 3.6.1 release early. We are effectively done September 8th, but typically wait until the simultaneous release date (Sept. 24) to declare it. We could potentially declare our part of the release early. This is potentially confusing for the community though since updates for other components won't be available, and removes the window for responding to last minute problems reported by other projects on the train.

2) Declare a 3.6.0.1 release containing only those fixes, and leave 3.6.1 schedule alone. I'm not sure we could get it out the door much faster though. We would need to create a new branch, build it, and then repeat the security testing we already did on the 3.6.1 builds to verify the fixes.

3) Make a feature patch available on the web site that can be applied against 3.6.0.

4) Create a feature patch, and add it to the eclipse/updates/3.6 repository so that all 3.6.0 users see it. They will still need to know to select the patch and install it. Also, the bugs primarily affect people running help servers, which don't typically install updates via the UI anyway.
Comment 2 John Arthorne CLA 2010-09-01 13:52:04 EDT 
Also, that list includes bugs that have been fixed for a couple of years already. The recent bugs that are a significant security concern are:

bug 322374 (help server accepts requests to different IPs)
bug 317055 (cross-site scripting exploit)
bug 320548 (ability to access local file system)
Comment 3 Dani Megert CLA 2010-09-02 01:30:59 EDT 
Given 3.6.1 is right at the door and the issues also exist in 3.4 and 3.5 I suggest we simply wait for 3.6.1 and, as John suggested, declare the Eclipse SDK availability a bit earlier (should discuss with Helios project mgmt first).

If we start a swirl with patches for 3.6.0 then people will also start to ask for 3.4 and 3.5 patches and that's causing too much work in my opinion.


Chris, what about 4.0? Is that release also affected?
Comment 4 Jeff McAffer CLA 2010-09-03 11:51:21 EDT 
Given the proximity of the real SR1 release I don't think we need to do an additional "release". It may make sense however to inform people that the fixes are available and they can get them via the Eclipse project builds if needed prior to the SR1 release.
Comment 5 Mike Milinkovich CLA 2010-09-03 13:14:46 EDT 
John, Dani, 

Thank you for your responses. I believe that we are in agreement
that at this point these fixes can wait until 3.6.1 to be released.

Stay tuned for a new policy from the Eclipse Foundation on dealing with
security issues. Our role as a platform, and our increasing number of runtime
projects will require a formal process. Part of that policy will be to
recognize that re-spins may be a requirement in certain cases. 

Jeff,

I disagree that we should announce these patches. Once 3.6.1 is out we can tell people that they should upgrade as soon as possible. Forcing consumers to re-build is not a solution for many of them. Announcing the vulnerabilities in the absence of a downloadable fix has more risk than reward IMHO.

I will mark this bug as RESOLVED.
Comment 6 John Arthorne CLA 2011-04-08 14:53:50 EDT 
Removing security advisories group. These fixes are available in the latest release, and this bug doesn't discuss particular exploit details anyway.