ASA-202012-5: ant: arbitrary code execution

Arch Linux 754 Published by

An ant security update has been released for Arch Linux.



Arch Linux Security Advisory ASA-202012-5
=========================================

Severity: Medium
Date : 2020-12-05
CVE-ID : CVE-2020-11979
Package : ant
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-1312

Summary
=======

The package ant before version 1.10.9-1 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 1.10.9-1.

# pacman -Syu "ant>=1.10.9-1"

The problem has been fixed upstream in version 1.10.9.

Workaround
==========

The issue can be mitigated by making Ant use a directory that is only
readable and writable by the current user.

Description
===========

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort. This would still allow an attacker
to inject modified source files into the build process.

Impact
======

A local attacker might be able to execute arbitrary code by injecting
modified source files into the build process at the exact right moment.

References
==========

https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://security.archlinux.org/CVE-2020-11979

CESA-2020:5235 Important CentOS 7 thunderbird Security Update

openSUSE-SU-2020:2220-1: moderate: Security update for pngcheck

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...