File ant-CVE-2020-1945-5.patch of Package ant-junit.23494

Overview Repositories Revisions Requests Users Attributes Meta

File ant-CVE-2020-1945-5.patch of Package ant-junit.23494

From 926f339ea30362bec8e53bf5924ce803938163b7 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 10 May 2020 15:07:05 +0200
Subject: [PATCH] recommend using ant.tmpdir

---
 manual/running.html | 7 +++++++
 1 file changed, 7 insertions(+)

Index: apache-ant-1.10.7/manual/running.html
===================================================================
--- apache-ant-1.10.7.orig/manual/running.html
+++ apache-ant-1.10.7/manual/running.html
@@ -524,6 +524,16 @@ on the platform and the JVM implementati
   changed API of Ant 1.10.8.</p>
 
 
+<p><b>Security Note:</b> Using the default temporary directory
+specified by <code>java.io.tmpdir</code> can result in the leakage of
+sensitive information or possibly allow an attacker to execute
+arbitrary code. This is especially true in multi-user environments. It
+is recommended that <code>ant.tmpdir</code> be set to a directory
+owned by the user running Ant with 0700 permissions. Ant 1.10.8 and
+later will try to make temporary files created by it only
+readable/writable by the current user but may silently fail to do so
+depending on the OS and filesystem.</p>
+
 <h2 id="cygwin">Cygwin Users</h2>
 <p>
 Unix launch script that come with Ant works correctly with Cygwin. You

Places

File ant-CVE-2020-1945-5.patch of Package ant-junit.23494

Places