Bug 1903702 (CVE-2020-11979) - CVE-2020-11979 ant: insecure temporary file
Summary: CVE-2020-11979 ant: insecure temporary file
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11979
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1903704 1903705 1904306 1904307 1904308 1904329 1914101 1922554
Blocks: 1903703
TreeView+ depends on / blocked
 
Reported: 2020-12-02 16:30 UTC by Dhananjay Arunesh
Modified: 2021-05-31 06:14 UTC (History)
81 users (show)

See Also:
Fixed In Version: ant 1.10.9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-18 19:02:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0423 0 None None None 2021-02-17 19:04:36 UTC
Red Hat Product Errata RHSA-2021:0429 0 None None None 2021-03-03 04:17:42 UTC
Red Hat Product Errata RHSA-2021:0637 0 None None None 2021-03-03 12:27:47 UTC

Description Dhananjay Arunesh 2020-12-02 16:30:19 UTC 
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

References:
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
https://security.gentoo.org/glsa/202011-18
Comment 1 Dhananjay Arunesh 2020-12-02 16:32:11 UTC 
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1903704]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1903705]
Comment 5 Mark Cooper 2020-12-04 07:16:32 UTC 
External References:

https://security.gentoo.org/glsa/202011-18
Comment 7 Mark Cooper 2020-12-04 07:30:36 UTC 
OpenShift packages a vulnerable version of ant in the following components:
    - OpenShift 3.11, jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  hive-container, ant-1.9.1
Comment 19 errata-xmlrpc 2021-02-17 19:04:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0423 https://access.redhat.com/errata/RHSA-2021:0423
Comment 20 Product Security DevOps Team 2021-02-18 19:02:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11979
Comment 21 errata-xmlrpc 2021-03-03 04:17:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0429 https://access.redhat.com/errata/RHSA-2021:0429
Comment 22 errata-xmlrpc 2021-03-03 12:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637
Comment 23 Przemyslaw Roguski 2021-03-29 13:09:10 UTC 
Statement:

ant as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because this flaw is caused by the patch for CVE-2020-1945, however, it was never applied to ant as shipped in Red Hat Enterprise Linux 8, because the decision was made by Engineering to WONTFIX that flaw.

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Note You need to log in before you can comment on or make changes to this bug.