[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ide-dev] [eclipse.org-architecture-council] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE

See https://www.theregister.co.uk/2017/12/06/android_ides_vulnerable/
This piece of news is spreading very fast on social media. As far as I
understand (and I may be wrong), the security flaw mentioned here isn't in
Eclipse IDE itself but in ADT or some other piece of Android SDK.
So basically, Eclipse IDE has once again its image hurt by an issue in
ADT...

All IDE's was hurt. lets not make it more bleak than it is - also be aware this
issue of xml external entity leaks are not new; its been known for years to be
an issue if your xml parsing don't guard itself against relative paths.


Now it seems android toolkit is affected by it too.

If this happens to be the case, it would be interesting to have the Eclipse
Foundation sending a PR to explain that Eclipse IDE itself is fine, and is
open for extensions, and that security flaws in extensions are only the
responsibility of extension providers; and warn against this kind of
message which tends to blame the wrong layer.

I'm sorry but the news seem to be all balanced on this - they state it is
affected all major IDE's (which is true) and it needs fixing. Article states
it has been fixed, but do we know if Eclipse ADT has been fixed ?


On marketplace its listed as having no updates since 20160-11-07 (https://marketplace.eclipse.org/content/android-development-tools-eclipse)

Question is now if like happened with Eclipse Class Decompiler - if Eclipse should
remove ADT from marketplace ? See https://eclipse.org/org/press-release/20170814_security_bulletin.php


/max