hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Naveen Gangam (Jira)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-23583) Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest ANT
Date Tue, 04 Aug 2020 14:02:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-23583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17170813#comment-17170813
] 

Naveen Gangam commented on HIVE-23583:
--------------------------------------

[~prasad-acit] Have you looked into the usage of a private protected tmp directory for ant
builds as recommended? With Ant 1.10.8, we rely on Ant's ability to secure the tmp directory
(if the OS allows it)? All modern OS'es have file permissions. Does that mean it automatically
secure or is there a scenario where OS will not allow setting permissions on "java.io.tmpdir"
?

> Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest
ANT
> ---------------------------------------------------------------------------------------------
>
>                 Key: HIVE-23583
>                 URL: https://issues.apache.org/jira/browse/HIVE-23583
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 3.1.2
>            Reporter: Renukaprasad C
>            Assignee: Renukaprasad C
>            Priority: Major
>             Fix For: 4.0.0
>
>         Attachments: HIVE-23583.01.patch
>
>
> Update ANT to fix:
> CVE-2020-1945: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
> Description:
> Apache Ant uses the default temporary directory identified by the Java
> system property java.io.tmpdir for several tasks and may thus leak
> sensitive information. The fixcrlf and replaceregexp tasks also copy
> files from the temporary directory back into the build tree allowing an
> attacker to inject modified source files into the build process.
> Mitigation:
> Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
> java.io.tmpdir system property to point to a directory only readable and
> writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
> files if the underlying filesystem allows it, but we still recommend
> using a private temporary directory instead.
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1945
> https://nvd.nist.gov/vuln/detail/CVE-2020-1945



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message