| Name | CVE-2020-11979 |
| Description | As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 971612 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ant (PTS) | bullseye | 1.10.9-4 | fixed |
| bookworm | 1.10.13-1 | fixed |
| sid, trixie | 1.10.15-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ant | source | stretch | (not affected) | | | |
| ant | source | buster | (not affected) | | | |
| ant | source | (unstable) | 1.10.9-1 | | | 971612 |
Notes
[buster] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
[stretch] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
Issue is pesent depending on if CVE-2020-1945 was fixed.