Re: [blfs-book] [BLFS Trac] #14082: apache-ant-1.10.9

BLFS Trac via blfs-book Thu, 01 Oct 2020 08:01:53 -0700

#14082: apache-ant-1.10.9
-------------------------+------------------------
 Reporter:  bdubbs       |       Owner:  blfs-book
     Type:  enhancement  |      Status:  new
 Priority:  high         |   Milestone:  10.1
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+------------------------
Changes (by renodr):


 * priority:  normal => high


Comment:

 {{{

 CVE-2020-11979: Apache Ant insecure temporary file vulnerability

 Severity: Medium

 Vendor:
 The Apache Software Foundation

 Versions Affected:
 Apache Ant 1.10.8

 Description:

 As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
 permissions of temporary files it created so that only the current user
 was allowed to access them. Unfortunately the fixcrlf task deleted the
 temporary file and created a new one without said protection,
 effectively nullifying the effort.

 This would still allow an attacker to inject modified source files into
 the build process.

 Mitigation:

 The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
 make Ant use a directory that is only readable and writable by the
 current user.

 Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
 ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.

 Ant 1.10.9 will also try to create a temporary directory only accessible
 by the current user if neither of the properties above is set but may
 fail to create one if the underlying filesystem doesn't allow it.

 Explicitly setting up a directory to use and set the respective property
 is the only mitigation that will work on every platform.

 Credit:
 This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

 References:
 https://ant.apache.org/security.html
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14082#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-book] [BLFS Trac] #14082: apache-ant-1.10.9

Reply via email to