Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Sep 2020 19:09:30 +0200
From: Stefan Bodewig <>
Subject: [CVE-2020-11979] Apache Ant insecure temporary file vulnerability

Hash: SHA1

CVE-2020-11979: Apache Ant insecure temporary file vulnerability

Severity: Medium

The Apache Software Foundation

Versions Affected:
Apache Ant 1.10.8


As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
permissions of temporary files it created so that only the current user
was allowed to access them. Unfortunately the fixcrlf task deleted the
temporary file and created a new one without said protection,
effectively nullifying the effort.

This would still allow an attacker to inject modified source files into
the build process.


The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
make Ant use a directory that is only readable and writable by the
current user.

Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
and 1.10.0 to 1.10.7 should set the system property.

Ant 1.10.9 will also try to create a temporary directory only accessible
by the current user if neither of the properties above is set but may
fail to create one if the underlying filesystem doesn't allow it.

Explicitly setting up a directory to use and set the respective property
is the only mitigation that will work on every platform.

This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.