File ant-CVE-2020-1945-2.patch of Package ant-antlr

Overview Repositories Revisions Requests Users Attributes Meta

File ant-CVE-2020-1945-2.patch of Package ant-antlr

From 926f339ea30362bec8e53bf5924ce803938163b7 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 10 May 2020 15:07:05 +0200
Subject: [PATCH] recommend using ant.tmpdir

---
 manual/running.html | 7 +++++++
 1 file changed, 7 insertions(+)

Index: apache-ant-1.9.4/manual/running.html
===================================================================
--- apache-ant-1.9.4.orig/manual/running.html
+++ apache-ant-1.9.4/manual/running.html
@@ -545,6 +545,13 @@ on the platform and the JVM implementati
   use <code>java.io.tmpdir</code> unless they have been adapted to the
   changed API of Ant 1.9.15.</p>
 
+<p><b>Security Note:</b> Using the default temporary directory
+specified by <code>java.io.tmpdir</code> can result in the leakage of
+sensitive information or possibly allow an attacker to execute
+arbitrary code. This is especially true in multi-user environments. It
+is recommended that <code>ant.tmpdir</code> be set to a directory
+owned by the user running Ant with 0700 permissions.</p>
+
 <h2><a name="cygwin">Cygwin Users</a></h2>
 <p>The Unix launch script that come with Ant works correctly with Cygwin. You
 should not have any problems launching Ant from the Cygwin shell. It is

Places

File ant-CVE-2020-1945-2.patch of Package ant-antlr

Places