Bug 1903702 (CVE-2020-11979)

Summary: CVE-2020-11979 ant: insecure temporary file
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, bbaranow, bmaxwell, bmontgom, brian.stansberry, btofel, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, eparis, etirelli, ganandan, gvarsami, ibek, iweiss, jaromir.capik, java-maint, java-maint-sig, java-sig-commits, jawilson, jburrell, jcoleman, jochrist, jokerman, jolee, jperkins, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, mizdebsk, mnovotny, msochure, msrb, msvehla, nstielau, nwallace, pbhattac, pcheung, pdrozd, pjindal, pmackay, rguimara, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, sd-operator-metering, security-response-team, smaestri, spinder, sponnaga, sthorger, swoodman, tcunning, theute, tkirby, tom.jenkinson, vbobade, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/RHDM-1524
https://issues.redhat.com/browse/RHPAM-3343
https://issues.redhat.com/browse/JBDS-4900
Whiteboard:
Fixed In Version: ant 1.10.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-18 19:02:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1903704, 1903705, 1904306, 1904307, 1904308, 1904329, 1914101, 1922554    
Bug Blocks: 1903703    

Description Dhananjay Arunesh 2020-12-02 16:30:19 UTC 
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

References:
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
https://security.gentoo.org/glsa/202011-18
Comment 1 Dhananjay Arunesh 2020-12-02 16:32:11 UTC 
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1903704]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1903705]
Comment 5 Mark Cooper 2020-12-04 07:16:32 UTC 
External References:

https://security.gentoo.org/glsa/202011-18
Comment 7 Mark Cooper 2020-12-04 07:30:36 UTC 
OpenShift packages a vulnerable version of ant in the following components:
    - OpenShift 3.11, jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  hive-container, ant-1.9.1
Comment 19 errata-xmlrpc 2021-02-17 19:04:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0423 https://access.redhat.com/errata/RHSA-2021:0423
Comment 20 Product Security DevOps Team 2021-02-18 19:02:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11979
Comment 21 errata-xmlrpc 2021-03-03 04:17:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0429 https://access.redhat.com/errata/RHSA-2021:0429
Comment 22 errata-xmlrpc 2021-03-03 12:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637
Comment 23 Przemyslaw Roguski 2021-03-29 13:09:10 UTC 
Statement:

ant as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because this flaw is caused by the patch for CVE-2020-1945, however, it was never applied to ant as shipped in Red Hat Enterprise Linux 8, because the decision was made by Engineering to WONTFIX that flaw.

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated