Bug 1171696 (CVE-2020-1945)

Summary: VUL-0: CVE-2020-1945: ant: insecure temporary file vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, cathy.hu, kstreitova, pmonrealgonzalez, smash_bz, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/259521/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1177180
Whiteboard: CVSSv3.1:SUSE:CVE-2020-1945:4.9:(AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-05-14 15:45:08 UTC 
through oss

CVE-2020-1945: Apache Ant insecure temporary file vulnerability

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7

Description:

Apache Ant uses the default temporary directory identified by the Java
system property java.io.tmpdir for several tasks and may thus leak
sensitive information. The fixcrlf and replaceregexp tasks also copy
files from the temporary directory back into the build tree allowing an
attacker to inject modified source files into the build process.

Mitigation:

Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
java.io.tmpdir system property to point to a directory only readable and
writable by the current user prior to running Ant.

Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
files if the underlying filesystem allows it, but we still recommend
using a private temporary directory instead.

Credit:
This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1945
http://seclists.org/oss-sec/2020/q2/106
Comment 1 Alexandros Toptsoglou 2020-05-14 15:47:28 UTC 
Tracked all codestreams as affected. That are:

SLE10-SP3
SLE11
SLE11-SP3
SLE12
SLE15

Additional references at 
https://security-tracker.debian.org/tracker/CVE-2020-1945
Comment 2 Pedro Monreal Gonzalez 2020-05-14 16:27:48 UTC 
Upstream report: https://ant.apache.org/security.html
Comment 4 Pedro Monreal Gonzalez 2020-05-20 11:28:47 UTC 
Factory submission, update to 1.10.8:
   https://build.opensuse.org/request/show/805655
Comment 6 Swamp Workflow Management 2020-07-17 16:16:51 UTC 
SUSE-SU-2020:1944-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1171696
CVE References: CVE-2020-1945
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    ant-1.10.7-4.3.1, ant-antlr-1.10.7-4.3.1, ant-junit-1.10.7-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-07-20 22:13:08 UTC 
openSUSE-SU-2020:1022-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1171696
CVE References: CVE-2020-1945
Sources used:
openSUSE Leap 15.2 (src):    ant-1.10.7-lp152.2.3.1, ant-antlr-1.10.7-lp152.2.3.1, ant-junit-1.10.7-lp152.2.3.1, ant-junit5-1.10.7-lp152.2.3.1
Comment 9 Carlos López 2022-05-10 12:08:59 UTC 
Still tracked as affected:
 - SUSE:SLE-11-SP3:Update
 - SUSE:SLE-12:Update
 - SUSE:SLE-15:Update
Comment 16 Thomas Leroy 2022-09-13 08:27:03 UTC 
(In reply to Carlos López from comment #9)
> Still tracked as affected:
>  - SUSE:SLE-11-SP3:Update
>  - SUSE:SLE-12:Update
>  - SUSE:SLE-15:Update

Hi David, gentle reminder about this issue :)
SUSE:SLE-15:Update actually doesn't require a fix, it contains LTSS only channels, and CVSS is not LTSS worthy
Comment 17 David Anes 2022-09-13 09:04:21 UTC 
(In reply to Thomas Leroy from comment #16)
> (In reply to Carlos López from comment #9)
> > Still tracked as affected:
> >  - SUSE:SLE-11-SP3:Update
> >  - SUSE:SLE-12:Update
> >  - SUSE:SLE-15:Update
> 
> Hi David, gentle reminder about this issue :)
> SUSE:SLE-15:Update actually doesn't require a fix, it contains LTSS only
> channels, and CVSS is not LTSS worthy

Working on this and bsc#1177180 since yesterday as I just landed from vacation :)

Thanks for the reminder!
Comment 22 Carlos López 2022-09-30 09:30:05 UTC 
Won't fix for SUSE:SLE-11-SP3:Update. Please use the mitigation available:

> The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
> make Ant use a directory that is only readable and writable by the
> current user.
> 
> Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
> ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
> and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.
Comment 23 David Anes 2022-09-30 09:35:41 UTC 
Thanks! Then it's all done. Sending back to security.
Comment 24 Swamp Workflow Management 2022-11-16 20:24:00 UTC 
SUSE-SU-2022:4022-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171696,1177180
CVE References: CVE-2020-11979,CVE-2020-1945
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ant-1.9.4-3.12.1, ant-antlr-1.9.4-3.12.3
SUSE Linux Enterprise Server 12-SP5 (src):    ant-1.9.4-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.