[CVE-2020-11979] Apache Ant insecure temporary file vulnerability

[Stefan Bodewig <bo...@apache.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2020-11979: Apache Ant insecure temporary file vulnerability

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Ant 1.10.8

Description:

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort.

This would still allow an attacker to inject modified source files into
the build process.

Mitigation:

The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
make Ant use a directory that is only readable and writable by the
current user.

Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.

Ant 1.10.9 will also try to create a temporary directory only accessible
by the current user if neither of the properties above is set but may
fail to create one if the underlying filesystem doesn't allow it.

Explicitly setting up a directory to use and set the respective property
is the only mitigation that will work on every platform.

Credit:
This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

References:
https://ant.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl90uwAACgkQohFa4V9ri3J8zgCfWqCH+MkMdxt7Ewuqr2Qbu69T
pAgAnRhd/0qTU3tZKpZZioF9twh/wWsZ
=3wkI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org