diff --git a/Document-why-we-are-actually-removing-the-file-before-writing.patch b/Document-why-we-are-actually-removing-the-file-before-writing.patch new file mode 100644 index 0000000..9fe5d5f --- /dev/null +++ b/Document-why-we-are-actually-removing-the-file-before-writing.patch @@ -0,0 +1,23 @@ +From f7159e8a084a3fcb76b933d393df1fc855d74d78 Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig +Date: Tue, 28 Jul 2020 21:51:01 +0200 +Subject: [PATCH] document why we are actually removing the file before writing + +--- + .../org/apache/tools/ant/types/resources/FileResource.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/main/org/apache/tools/ant/types/resources/FileResource.java b/src/main/org/apache/tools/ant/types/resources/FileResource.java +index d8d604c0f8..17ed7cc463 100644 +--- a/src/main/org/apache/tools/ant/types/resources/FileResource.java ++++ b/src/main/org/apache/tools/ant/types/resources/FileResource.java +@@ -255,7 +255,8 @@ public OutputStream getAppendOutputStream() throws IOException { + private OutputStream getOutputStream(boolean append) throws IOException { + File f = getNotNullFile(); + if (f.exists()) { +- if (f.isFile() && !append) { ++ if (Files.isSymbolicLink(f.toPath()) && f.isFile() && !append) { ++ // https://bz.apache.org/bugzilla/show_bug.cgi?id=624 + f.delete(); + } + } else { diff --git a/Fallback-to-a-separate-owner-only-tempdir-if-possible.patch b/Fallback-to-a-separate-owner-only-tempdir-if-possible.patch new file mode 100644 index 0000000..0c2ed70 --- /dev/null +++ b/Fallback-to-a-separate-owner-only-tempdir-if-possible.patch @@ -0,0 +1,170 @@ +From 87ac51d3c22bcf7cfd0dc07cb0bd04a496e0d428 Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig +Date: Sat, 4 Jul 2020 18:03:13 +0200 +Subject: [PATCH] fallback to a separate owner-only tempdir if possible + +--- + src/main/org/apache/tools/ant/MagicNames.java | 10 +++ + .../org/apache/tools/ant/util/FileUtils.java | 36 +++++++++-- + .../apache/tools/ant/util/FileUtilsTest.java | 64 +++++++++++++++++++ + 3 files changed, 105 insertions(+), 5 deletions(-) + +diff --git a/src/main/org/apache/tools/ant/MagicNames.java b/src/main/org/apache/tools/ant/MagicNames.java +index 5cf2fa8fa3..8ced505789 100644 +--- a/src/main/org/apache/tools/ant/MagicNames.java ++++ b/src/main/org/apache/tools/ant/MagicNames.java +@@ -337,5 +337,15 @@ private MagicNames() { + * @since Ant 1.10.8 + */ + public static final String TMPDIR = "ant.tmpdir"; ++ ++ /** ++ * Magic property that will be set to override java.io.tmpdir ++ * system property as the location for Ant's default temporary ++ * directory if a temp file is created and {@link #TMPDIR} is not ++ * set. ++ * Value: {@value} ++ * @since Ant 1.10.9 ++ */ ++ public static final String AUTO_TMPDIR = "ant.auto.tmpdir"; + } + +diff --git a/src/main/org/apache/tools/ant/util/FileUtils.java b/src/main/org/apache/tools/ant/util/FileUtils.java +index 46671848c9..d835438fe7 100644 +--- a/src/main/org/apache/tools/ant/util/FileUtils.java ++++ b/src/main/org/apache/tools/ant/util/FileUtils.java +@@ -110,6 +110,11 @@ + PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, + PosixFilePermission.OWNER_WRITE)) + }; ++ private static final FileAttribute[] TMPDIR_ATTRIBUTES = ++ new FileAttribute[] { ++ PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, ++ PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE)) ++ }; + private static final FileAttribute[] NO_TMPFILE_ATTRIBUTES = new FileAttribute[0]; + + /** +@@ -991,14 +996,35 @@ public File createTempFile(String prefix, String suffix, File parentDir, + public File createTempFile(final Project project, String prefix, String suffix, + final File parentDir, final boolean deleteOnExit, final boolean createFile) { + File result; +- final String parent; ++ String p = null; + if (parentDir != null) { +- parent = parentDir.getPath(); ++ p = parentDir.getPath(); + } else if (project != null && project.getProperty(MagicNames.TMPDIR) != null) { +- parent = project.getProperty(MagicNames.TMPDIR); +- } else { +- parent = System.getProperty("java.io.tmpdir"); ++ p = project.getProperty(MagicNames.TMPDIR); ++ } else if (project != null && deleteOnExit) { ++ if (project.getProperty(MagicNames.AUTO_TMPDIR) != null) { ++ p = project.getProperty(MagicNames.AUTO_TMPDIR); ++ } else { ++ final Path systemTempDirPath = ++ new File(System.getProperty("java.io.tmpdir")).toPath(); ++ final PosixFileAttributeView systemTempDirPosixAttributes = ++ Files.getFileAttributeView(systemTempDirPath, PosixFileAttributeView.class); ++ if (systemTempDirPosixAttributes != null) { ++ // no reason to create an extra temp dir if we cannot set permissions ++ try { ++ final File projectTempDir = Files.createTempDirectory(systemTempDirPath, ++ "ant", TMPDIR_ATTRIBUTES) ++ .toFile(); ++ projectTempDir.deleteOnExit(); ++ p = projectTempDir.getAbsolutePath(); ++ project.setProperty(MagicNames.AUTO_TMPDIR, p); ++ } catch (IOException ex) { ++ // silently fall back to system temp directory ++ } ++ } ++ } + } ++ final String parent = p != null ? p : System.getProperty("java.io.tmpdir"); + if (prefix == null) { + prefix = NULL_PLACEHOLDER; + } +diff --git a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java +index da46520038..d5448a6ac6 100644 +--- a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java ++++ b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java +@@ -50,6 +50,8 @@ + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertFalse; + import static org.junit.Assert.assertNotEquals; ++import static org.junit.Assert.assertNotNull; ++import static org.junit.Assert.assertNull; + import static org.junit.Assert.assertThat; + import static org.junit.Assert.assertTrue; + import static org.junit.Assume.assumeFalse; +@@ -450,6 +452,68 @@ public void testCreateTempFile() throws IOException { + tmp2.getAbsolutePath())); + } + ++ @Test ++ public void createTempFileUsesAntTmpDirIfSetAndDeleteOnExitIsTrue() throws IOException { ++ final Project project = new Project(); ++ final File projectTmpDir = folder.newFolder("subdir"); ++ project.setProperty("ant.tmpdir", projectTmpDir.getAbsolutePath()); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true); ++ assertTrue(tmpFile + " must be child of " + projectTmpDir, ++ tmpFile.getAbsolutePath().startsWith(projectTmpDir.getAbsolutePath())); ++ } ++ ++ @Test ++ public void createTempFileUsesAntTmpDirIfSetAndDeleteOnExitIsFalse() throws IOException { ++ final Project project = new Project(); ++ final File projectTmpDir = folder.newFolder("subdir"); ++ project.setProperty("ant.tmpdir", projectTmpDir.getAbsolutePath()); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, false, true); ++ assertTrue(tmpFile + " must be child of " + projectTmpDir, ++ tmpFile.getAbsolutePath().startsWith(projectTmpDir.getAbsolutePath())); ++ } ++ ++ @Test ++ public void createTempFileCreatesAutoTmpDirIfDeleteOnExitIsTrueOnUnix() throws IOException { ++ assumeFalse("Test doesn't run on DOS", Os.isFamily("dos")); ++ final Project project = new Project(); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true); ++ final String autoTempDir = project.getProperty("ant.auto.tmpdir"); ++ assertNotNull(autoTempDir); ++ assertTrue(tmpFile + " must be child of " + autoTempDir, ++ tmpFile.getAbsolutePath().startsWith(autoTempDir)); ++ } ++ ++ @Test ++ public void createTempFileDoesntCreateAutoTmpDirIfDeleteOnExitIsFalse() throws IOException { ++ final Project project = new Project(); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, false, true); ++ assertNull(project.getProperty("ant.auto.tmpdir")); ++ } ++ ++ @Test ++ public void createTempFileReusesAutoTmpDirIfDeleteOnExitIsTrueOnUnix() throws IOException { ++ assumeFalse("Test doesn't run on DOS", Os.isFamily("dos")); ++ final Project project = new Project(); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true); ++ final String autoTempDir = project.getProperty("ant.auto.tmpdir"); ++ assertNotNull(autoTempDir); ++ final File tmpFile2 = getFileUtils().createTempFile(project, null, null, null, true, true); ++ assertTrue(tmpFile2 + " must be child of " + autoTempDir, ++ tmpFile2.getAbsolutePath().startsWith(autoTempDir)); ++ } ++ ++ @Test ++ public void createTempFileDoesntReusesAutoTmpDirIfDeleteOnExitIsFalse() throws IOException { ++ assumeFalse("Test doesn't run on DOS", Os.isFamily("dos")); ++ final Project project = new Project(); ++ final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true); ++ final String autoTempDir = project.getProperty("ant.auto.tmpdir"); ++ assertNotNull(autoTempDir); ++ final File tmpFile2 = getFileUtils().createTempFile(project, null, null, null, false, true); ++ assertFalse(tmpFile2 + " must not be child of " + autoTempDir, ++ tmpFile2.getAbsolutePath().startsWith(autoTempDir)); ++ } ++ + /** + * Test contentEquals + */ diff --git a/ant.spec b/ant.spec index c3f6d58..08d20a0 100644 --- a/ant.spec +++ b/ant.spec @@ -4,13 +4,15 @@ Name: ant Summary: A Java-based build tool Version: 1.10.8 -Release: 2 +Release: 3 Epoch: 0 License: ASL 2.0 URL: https://ant.apache.org/ Source0: https://archive.apache.org/dist/ant/source/apache-ant-%{version}-src.tar.bz2 Source2: apache-ant-1.8.ant.conf - +# Patch 0-1 are used for repair CVE-2020-11979 +Patch0: Fallback-to-a-separate-owner-only-tempdir-if-possible.patch +Patch1: Document-why-we-are-actually-removing-the-file-before-writing.patch BuildRequires: javapackages-local java-1.8.0-devel ant >= 1.10.2 BuildRequires: ant-junit xmlto mvn(antlr:antlr) mvn(bcel:bcel) BuildRequires: mvn(bsf:bsf) mvn(com.jcraft:jsch) mvn(commons-logging:commons-logging-api) @@ -422,6 +424,9 @@ LC_ALL=en_US.utf8 %{ant} test %{_javadocdir}/%{name} %changelog +* Mon Nov 30 2020 huanghaitao - 0:1.10.8-3 +- Fix CVE-2020-11979 + * Thu Oct 15 2020 lingsheng - 0:1.10.8-2 - Change buildrequire and require to java-1.8.0-devel