Bugzilla – Bug 1177180
VUL-0: CVE-2020-11979: ant: insecure temporary file vulnerability
Last modified: 2024-05-14 10:34:26 UTC
via oss-security: CVE-2020-11979: Apache Ant insecure temporary file vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Ant 1.10.8 Description: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. Mitigation: The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to make Ant use a directory that is only readable and writable by the current user. Ant users of versions 1.10.8 and 1.9.15 can use the Ant property ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property. Ant 1.10.9 will also try to create a temporary directory only accessible by the current user if neither of the properties above is set but may fail to create one if the underlying filesystem doesn't allow it. Explicitly setting up a directory to use and set the respective property is the only mitigation that will work on every platform. Credit: This issue was discovered by Mike Salvatore of the Ubuntu Security Team. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11979 http://seclists.org/oss-sec/2020/q3/209 http://www.openwall.com/lists/oss-security/2020/09/30/6 https://ant.apache.org/security.html
Upstream commits from https://ant.apache.org/security.html: * https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=87ac51d3c22bcf7cfd0dc07cb0bd04a496e0d428 * https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=f7159e8a084a3fcb76b933d393df1fc855d74d78
Factory submission: https://build.opensuse.org/request/show/838992
Still tracked as affected: - SUSE:SLE-11-SP3:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update
Won't fix for SUSE:SLE-11-SP3:Update. Please use the mitigation available: > The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to > make Ant use a directory that is only readable and writable by the > current user. > > Ant users of versions 1.10.8 and 1.9.15 can use the Ant property > ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14 > and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.
Thanks! Then it's all done. Sending back to security.
SUSE-SU-2022:4022-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1171696,1177180 CVE References: CVE-2020-11979,CVE-2020-1945 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ant-1.9.4-3.12.1, ant-antlr-1.9.4-3.12.3 SUSE Linux Enterprise Server 12-SP5 (src): ant-1.9.4-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.