https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Bug ID: 1903702 Summary: CVE-2020-11979 ant: insecure temporary file Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: abenaiss@redhat.com, aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, gvarsami@redhat.com, ibek@redhat.com, iweiss@redhat.com, jaromir.capik@email.cz, java-maint@redhat.com, java-maint-sig@lists.fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jburrell@redhat.com, jcoleman@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msrb@redhat.com, msvehla@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pbhattac@redhat.com, pcheung@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, pmackay@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, smaestri@redhat.com, spinder@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, swoodman@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, vbobade@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
References: https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef5421... https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4... https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467... https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e... https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a670... https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edf... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://security.gentoo.org/glsa/202011-18