Opened 10 months ago
Closed 10 months ago
New point version.
CVE-2020-11979: Apache Ant insecure temporary file vulnerability
The Apache Software Foundation
Apache Ant 1.10.8
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort.
This would still allow an attacker to inject modified source files into
the build process.
The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
make Ant use a directory that is only readable and writable by the
Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.
Ant 1.10.9 will also try to create a temporary directory only accessible
by the current user if neither of the properties above is set but may
fail to create one if the underlying filesystem doesn't allow it.
Explicitly setting up a directory to use and set the respective property
is the only mitigation that will work on every platform.
This issue was discovered by Mike Salvatore of the Ubuntu Security Team.
Fixed in r23781
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.