Arch Linux Security Advisory ASA-202012-5

Severity: Medium
Date : 2020-12-05
CVE-ID : CVE-2020-11979
Package : ant
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-1312

Summary

The package ant before version 1.10.9-1 is vulnerable to arbitrary code
execution.

Resolution

Upgrade to 1.10.9-1.

pacman -Syu “ant>=1.10.9-1”

The problem has been fixed upstream in version 1.10.9.

Workaround

The issue can be mitigated by making Ant use a directory that is only
readable and writable by the current user.

Description

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort. This would still allow an attacker
to inject modified source files into the build process.

Impact

A local attacker might be able to execute arbitrary code by injecting
modified source files into the build process at the exact right moment.

References

https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40<dev.ant.apache.org>
https://security.archlinux.org/CVE-2020-11979