DescriptionAs mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs971612

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ant (PTS)buster1.10.5-2fixed
sid, trixie1.10.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
antsourcestretch(not affected)
antsourcebuster(not affected)


[buster] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
[stretch] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
Issue is pesent depending on if CVE-2020-1945 was fixed.

Search for package or bug name: Reporting problems