https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Bug ID: 1903702 Summary: CVE-2020-11979 ant: insecure temporary file Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: abenaiss@redhat.com, aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, gvarsami@redhat.com, ibek@redhat.com, iweiss@redhat.com, jaromir.capik@email.cz, java-maint@redhat.com, java-maint-sig@lists.fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jburrell@redhat.com, jcoleman@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msrb@redhat.com, msvehla@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pbhattac@redhat.com, pcheung@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, pmackay@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, smaestri@redhat.com, spinder@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, swoodman@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, vbobade@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
References: https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef5421... https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4... https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467... https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e... https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a670... https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edf... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://security.gentoo.org/glsa/202011-18
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1903704, 1903705
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1903704 [Bug 1903704] CVE-2020-11979 ant: insecure temporary file [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903705 [Bug 1903705] CVE-2020-11979 ant:1.10/ant: insecure temporary file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1903702 Bug 1903702 depends on bug 1903704, which changed state.
Bug 1903704 Summary: CVE-2020-11979 ant: insecure temporary file [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903704
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |ant 1.10.9
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1904306
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1904329
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1904308
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1904307
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #5 from Mark Cooper mcooper@redhat.com --- External References:
https://security.gentoo.org/glsa/202011-18
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #7 from Mark Cooper mcooper@redhat.com --- OpenShift packages a vulnerable version of ant in the following components: - OpenShift 3.11, jenkins, ant.jar-1.10.7 - OpenShift 4.6, jenkins, ant.jar-1.10.7 - OpenShift 4.6, hive-container, ant-1.9.1
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(chazlett@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com/b | |rowse/RHDM-1524, | |https://issues.redhat.com/b | |rowse/RHPAM-3343
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |security-response-team@redh | |at.com Flags|needinfo?(chazlett@redhat.c |needinfo?(security-response |om) |-team@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response |needinfo?(krathod@redhat.co |-team@redhat.com) |m)
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(krathod@redhat.co | |m) |
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #14 from Todd Cullum tcullum@redhat.com --- Statement:
ant as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because this flaw is caused by the patch for CVE-2020-1945, however, it was never applied to ant as shipped in Red Hat Enterprise Linux 8, because the decision was made by Engineering to WONTFIX that flaw.
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com/b | |rowse/JBDS-4900
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1914101
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1922554
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:0423 https://access.redhat.com/errata/RHSA-2021:0423
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0423
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-02-18 19:02:01
--- Comment #20 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-11979
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2021:0429 https://access.redhat.com/errata/RHSA-2021:0429
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0429
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0637
https://bugzilla.redhat.com/show_bug.cgi?id=1903702
--- Comment #23 from Przemyslaw Roguski proguski@redhat.com --- Statement:
ant as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because this flaw is caused by the patch for CVE-2020-1945, however, it was never applied to ant as shipped in Red Hat Enterprise Linux 8, because the decision was made by Engineering to WONTFIX that flaw.
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1903702 Bug 1903702 depends on bug 1903705, which changed state.
Bug 1903705 Summary: CVE-2020-11979 ant:1.10/ant: insecure temporary file [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903705
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
java-sig-commits@lists.fedoraproject.org