#14082 closed enhancement (fixed)

apache-ant-1.10.9

Reported by: Bruce Dubbs Owned by: thomas
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by Douglas R. Reno, 10 months ago

Priority: normalhigh
CVE-2020-11979: Apache Ant insecure temporary file vulnerability

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Ant 1.10.8

Description:

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort.

This would still allow an attacker to inject modified source files into
the build process.

Mitigation:

The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
make Ant use a directory that is only readable and writable by the
current user.

Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.

Ant 1.10.9 will also try to create a temporary directory only accessible
by the current user if neither of the properties above is set but may
fail to create one if the underlying filesystem doesn't allow it.

Explicitly setting up a directory to use and set the respective property
is the only mitigation that will work on every platform.

Credit:
This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

References:
https://ant.apache.org/security.html

comment:2 by thomas, 10 months ago

Owner: changed from blfs-book to thomas
Status: newassigned

comment:3 by thomas, 10 months ago

Resolution: fixed
Status: assignedclosed

Fixed in r23781

Note: See TracTickets for help on using tickets.