https://bz.apache.org/bugzilla/show_bug.cgi?id=65212
--- Comment #11 from Stefan Bodewig <[email protected]> --- The reason is that Ant needs to ensure full control over the permissions for the temporary directory in order to deal with CVE-2020-11979 The release notes of 1.10.9 hint at it * If the magic property ant.tmpdir hasn't been set and Ant can control the permissions of directories it creates it will create an owner-owned temporary directory unaccessible to others as default tempdir as soon as a temporary file is created for the first time, Ant knows it has set up such a directory by storing the information inside of a project property, the only "global variable" Ant knows. So if you were creating only a single instance of an Ant project, only a single temporary directory would have been created. I believe to understand what you are doing but don't see any way to avoid what you see without opening up for supply chain attacks. The way you properly deal with it is by explicitly providing Ant with a secure temporary directory via ant.tmpdir. This is the way you tell Ant you are taking care of securing tempfile creation yourself. Please note that fixcrlf has been the real trigger of the CVE. fixcrlf works by creating a temporary file for each file it processes, streaming data from the original file to the temporary file (normalizing CRLF on the way) and then moving the temporary file over the original file. An attacker can replace the temporary file before it is moved and so inject arbitrary files into your process. -- You are receiving this mail because: You are the assignee for the bug.
