https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Bug ID: 1837444 Summary: CVE-2020-1945 ant: insecure temporary file vulnerability Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dmoluguw@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, gvarsami@redhat.com, hvyas@redhat.com, ibek@redhat.com, iweiss@redhat.com, jaromir.capik@email.cz, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jburrell@redhat.com, jcoleman@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msrb@redhat.com, msvehla@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pcheung@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puebele@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, smaestri@redhat.com, spinder@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, vbellur@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
References: https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin... https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c...
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1837445, 1837446
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1837445 [Bug 1837445] CVE-2020-1945 ant: insecure temporary file vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1837446 [Bug 1837446] CVE-2020-1945 ant:1.10/ant: insecure temporary file vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1837447
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created ant tracking bugs for this issue:
Affects: fedora-all [bug 1837445]
Created ant:1.10/ant tracking bugs for this issue:
Affects: fedora-all [bug 1837446]
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #2 from Chess Hazlett chazlett@redhat.com --- Mitigation:
For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.
For versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |ant 1.9.15, ant 1.10.8
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|bmontgom@redhat.com, | |eparis@redhat.com, | |jburrell@redhat.com, | |jokerman@redhat.com, | |nstielau@redhat.com, | |sponnaga@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1837444 Bug 1837444 depends on bug 1837445, which changed state.
Bug 1837445 Summary: CVE-2020-1945 ant: insecure temporary file vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1837445
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1843538
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1843539
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1843541
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1843542
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1843540
https://bugzilla.redhat.com/show_bug.cgi?id=1837444 Bug 1837444 depends on bug 1837446, which changed state.
Bug 1837446 Summary: CVE-2020-1945 ant:1.10/ant: insecure temporary file vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1837446
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.5.0
Via RHSA-2020:2618 https://access.redhat.com/errata/RHSA-2020:2618
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2618
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-06-19 05:20:32
--- Comment #8 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-1945
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHDM 7.9.0
Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4960
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHPAM 7.9.0
Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4961
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |btofel@redhat.com, | |sd-operator-metering@redhat | |.com See Also| |https://issues.redhat.com/b | |rowse/ENTMQST-1986, | |https://issues.redhat.com/b | |rowse/JBDS-4859, | |https://issues.redhat.com/b | |rowse/KEYCLOAK-14240, | |https://issues.redhat.com/b | |rowse/RHDM-1353, | |https://issues.redhat.com/b | |rowse/RHPAM-2954
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1904308, 1904306, 1904307
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #16 from Mark Cooper mcooper@redhat.com --- OpenShift packages a vulnerable version of ant in the following components: - OpenShift 3.11, jenkins, ant.jar-1.10.7 - OpenShift 4.6, jenkins, ant.jar-1.10.7 - OpenShift 4.6, hive-container, ant-1.9.1
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1914101
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1922554
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:0423 https://access.redhat.com/errata/RHSA-2021:0423
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0423
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2021:0429 https://access.redhat.com/errata/RHSA-2021:0429
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0429
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0637
https://bugzilla.redhat.com/show_bug.cgi?id=1837444
--- Comment #22 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
java-sig-commits@lists.fedoraproject.org