Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 745768 (CVE-2020-11979) - <dev-java/ant-1.10.9: Insecure temporary file (CVE-2020-11979)
Summary: <dev-java/ant-1.10.9: Insecure temporary file (CVE-2020-11979)
Status: RESOLVED FIXED
Alias: CVE-2020-11979
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://mail-archives.apache.org/mod_...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-30 17:19 UTC by Sam James
Modified: 2020-11-16 02:45 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/ant-antlr-1.10.9 amd64 ppc64 x86 dev-java/ant-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-bcel-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-bsf-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-log4j-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-oro-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-regexp-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-resolver-1.10.9 amd64 ppc64 x86 dev-java/ant-apache-xalan2-1.10.9 amd64 ppc64 x86 dev-java/ant-commons-logging-1.10.9 amd64 ppc64 x86 dev-java/ant-commons-net-1.10.9 amd64 ppc64 x86 dev-java/ant-core-1.10.9 dev-java/ant-jai-1.10.9 amd64 ppc64 x86 dev-java/ant-javamail-1.10.9 amd64 ppc64 x86 dev-java/ant-jdepend-1.10.9 amd64 ppc64 x86 dev-java/ant-jmf-1.10.9 amd64 ppc64 x86 dev-java/ant-jsch-1.10.9 amd64 ppc64 x86 dev-java/ant-junit-1.10.9 dev-java/ant-junitlauncher-1.10.9 dev-java/ant-junit4-1.10.9 dev-java/ant-swing-1.10.9 amd64 ppc64 x86 dev-java/ant-testutil-1.10.9 amd64 ppc64 x86 dev-java/ant-xz-1.10.9
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-30 17:19:30 UTC
Description:
"As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort."
Comment 1 Sam James archtester gentoo-dev Security 2020-09-30 17:45:26 UTC
Please bump to 1.10.9.
Comment 2 Miroslav Šulc gentoo-dev 2020-09-30 17:48:00 UTC
(In reply to Sam James from comment #1)
> Please bump to 1.10.9.

will bump it, probably this saturday, not sure if i get to it sooner but will try...
Comment 3 Sam James archtester gentoo-dev Security 2020-09-30 19:19:32 UTC
(In reply to Miroslav Šulc from comment #2)
> (In reply to Sam James from comment #1)
> > Please bump to 1.10.9.
> 
> will bump it, probably this saturday, not sure if i get to it sooner but
> will try...

No problem :)
Comment 4 Larry the Git Cow gentoo-dev 2020-10-01 18:16:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f81cda7fd2ef2867d07826499d246fe4d97937c

commit 8f81cda7fd2ef2867d07826499d246fe4d97937c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-10-01 18:14:49 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-10-01 18:16:06 +0000

    dev-java/ant: bump to 1.10.9
    
    Bug: https://bugs.gentoo.org/745768
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant/ant-1.10.9.ebuild | 47 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 5 Miroslav Šulc gentoo-dev 2020-10-01 18:17:46 UTC
probably should be safe to stabilize, leaving that for you to decide whether to stabilize it immediately or give it a day or two.
Comment 6 NATTkA bot gentoo-dev 2020-10-01 18:20:48 UTC
Unable to check for sanity:

> no match for package: ant-antlr/ant-antlr-1.10.9
Comment 7 NATTkA bot gentoo-dev 2020-10-01 18:25:45 UTC
All sanity-check issues have been resolved
Comment 8 Sam James archtester gentoo-dev Security 2020-10-13 16:35:18 UTC
(In reply to Miroslav Šulc from comment #5)
> probably should be safe to stabilize, leaving that for you to decide whether
> to stabilize it immediately or give it a day or two.

I think we should be OK now, thank you as ever btw :)
Comment 9 Sam James archtester gentoo-dev Security 2020-10-14 18:28:52 UTC
arm64 done
Comment 10 Agostino Sarubbo gentoo-dev 2020-10-14 19:08:55 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-10-14 19:19:45 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-10-14 19:23:03 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Larry the Git Cow gentoo-dev 2020-10-15 07:42:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07845bfd65bcb03eb7e59299915acacf24bfc400

commit 07845bfd65bcb03eb7e59299915acacf24bfc400
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-10-15 07:41:38 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-10-15 07:41:38 +0000

    dev-java/ant: removed vulnerable 1.10.8
    
    Bug: https://bugs.gentoo.org/745768
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant/ant-1.10.8.ebuild | 47 ------------------------------------------
 1 file changed, 47 deletions(-)
Comment 14 Miroslav Šulc gentoo-dev 2020-10-15 07:42:41 UTC
the tree is clean now, you can proceed :-)
Comment 15 Sam James archtester gentoo-dev Security 2020-10-15 12:30:44 UTC
(In reply to Miroslav Šulc from comment #14)
> the tree is clean now, you can proceed :-)

Thank you!
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-11-16 02:45:38 UTC
This issue was resolved and addressed in
 GLSA 202011-18 at https://security.gentoo.org/glsa/202011-18
by GLSA coordinator Aaron Bauman (b-man).