apache-ant is vulnerable to authorization bypass. The vulnerabiltiy exists through the mitigation for CVE-2020-1945 has changed the permissions of temporary files it created so that only the current user was allowed to access them, while the fixcrlf
task deleted the temporary file and creates a new one without said protection, allowing the injection of modified source files into the build process.
github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
lists.fedoraproject.org/archives/list/[email protected]/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
lists.fedoraproject.org/archives/list/[email protected]/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
lists.fedoraproject.org/archives/list/[email protected]/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
security.gentoo.org/glsa/202011-18
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpuoct2021.html