[manjaro-security] [ASA-202012-5] ant: arbitrary code execution

[Remi Gacogne]

Arch Linux Security Advisory ASA-202012-5
=========================================

Severity: Medium
Date    : 2020-12-05
CVE-ID  : CVE-2020-11979
Package : ant
Type    : arbitrary code execution
Remote  : No
Link    : https://security.archlinux.org/AVG-1312

Summary
=======

The package ant before version 1.10.9-1 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 1.10.9-1.

# pacman -Syu "ant>=1.10.9-1"

The problem has been fixed upstream in version 1.10.9.

Workaround
==========

The issue can be mitigated by making Ant use a directory that is only
readable and writable by the current user.

Description
===========

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort. This would still allow an attacker
to inject modified source files into the build process.

Impact
======

A local attacker might be able to execute arbitrary code by injecting
modified source files into the build process at the exact right moment.

References
==========

https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://security.archlinux.org/CVE-2020-11979
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x46EC46F39F3E2EF1.asc
Type: application/pgp-keys
Size: 9534 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20201209/b68c8f7a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20201209/b68c8f7a/attachment.sig>