CVE-2020-11979

NameCVE-2020-11979
DescriptionAs mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs971612

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ant (PTS)jessie, jessie (lts)1.9.4-3+deb8u2fixed
stretch (security), stretch (lts), stretch1.9.9-1+deb9u1fixed
buster1.10.5-2fixed
bullseye1.10.9-4fixed
bookworm1.10.13-1fixed
sid, trixie1.10.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
antsourcejessie(not affected)
antsourcestretch(not affected)
antsourcebuster(not affected)
antsource(unstable)1.10.9-1971612

Notes

[buster] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
[stretch] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
Issue is pesent depending on if CVE-2020-1945 was fixed.
[jessie] - ant <not-affected> (Vulnerability not present as CVE-2020-1945 not addressed)

Search for package or bug name: Reporting problems