CVE-2020-11979

NameCVE-2020-11979
DescriptionAs mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs971612

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ant (PTS)stretch (security), stretch1.9.9-1+deb9u1fixed
buster1.10.5-2fixed
bullseye, sid1.10.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
antsourcestretch(not affected)
antsourcebuster(not affected)
antsource(unstable)1.10.9-1971612

Notes

[buster] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
[stretch] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
Issue is pesent depending on if CVE-2020-1945 was fixed.

Search for package or bug name: Reporting problems