ESB-2018.2108.2 - UPDATE [Win][Linux][Debian] ant: Modify arbitrary files - Existing account 2018-08-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2108.2
                            ant security update
                               6 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ant
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
                   Windows
Impact/Access:     Modify Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10886  

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1431-1

Revision History:  August  6 2018: The fix for CVE-2018-10886 was incomplete 
				   in the previous upload
                   July   20 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ant
Version        : 1.9.4-3+deb8u2
CVE ID         : TEMP-0904191-9063D5
Debian Bug     : 904191


The fix for CVE-2018-10886 was incomplete in the previous upload. New
changes was implemented upstream which check and resolve symlinks
before expanding the archives.

For Debian 8 "Jessie", this problem has been fixed in version
1.9.4-3+deb8u2.

We recommend that you upgrade your ant packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltmp3IACgkQhj1N8u2c
KO9zkw/+Igo+qWdy4w72mqK7uDVRNBNPkIgATe4850P+WhfCSuY0RMv2vNKbd/Gd
/Ip/tOHAvH0SMTXgI18PBuNcKRib6kl+LnRQoYO+Pt47X8PgO8aPfKfzrIn0T1lM
v5kYPcTyeY4oh50ukmLGDq8U5PBXFUVq+A3SOIkKzIs78cOvpQYqsphBAugOi1xr
DGdBI83rPz3JLTB74IFwUfvFcGxM+gONW3iypZYCLExwmwM3e4YFHl9RpSqsL7rN
ozW1tY0j4385S8XKwL1Wt8xTwxnnxsGyilh2NCjLvU+PRdO3poBJ2aIMRCua+O9e
QsFuVd9kRJkpFqNGdjQeR5HfVV6hTXg/1waO+vBoxd0NTumqxtT3ULakWmbr1aUj
f9FzTUqd0Rht3WL1PMZVH1YsmaxyiVmrVi8y+ZWu0nGp+IHl1Y+LDx+Vd3VD8uLs
uDzD5RrvMpduvcq5/vncjFRZZKxLz2d0mb/tl+MYNGxESCAO3OJdBqvmf0Bp7Y6q
4POFvXBTIdXfAxSc6oN9qiMfjHRoix/upYUetV3tWxUFSqbSbmLJBOBbrhZGSNol
55yk94OCsFAHN0ka3tBTjLLcxHzVQnOIC8iryp08lzgOA/NFI4wBi3PvTF2HDXZI
myv/74Xrs4kueSiEOmtofHqVNnNgr+6xlRaLLTA1ugJIrSwQP5k=
=PWlA
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ant
Version        : 1.9.4-3+deb8u1
CVE ID         : CVE-2018-10886


unzip and untar target tasks in ant allows the extraction of files
outside the target directory. A crafted zip or tar file submitted to
an Ant build could create or overwrite arbitrary files with the
privileges of the user running Ant.

For Debian 8 "Jessie", these problems have been fixed in version
1.9.4-3+deb8u1.

We recommend that you upgrade your ant packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltQG5kACgkQhj1N8u2c
KO9j3Q//bHem595fFr/ea/cAakJlA3uo3hSJdiXjAZVBaJ+fY9LJKX+CR9c+MqOp
4mkN2OlAlmPlcshWs39YhVlMt7slSUZbHtbnfeh/6oArgKs2pxSAh6D+tLXIAoal
hWanudoDBxeZPQ1bbUVEaYYR34S0sYq92IIRZmh02Slp6ZUu1jTDDyOZit375wR+
NLyWX5x5+EImI4oJkE+nER/JcOtrHB+L4oqHOS8vFy2DXeS9wGmQksk0RvkIpeQS
EQaZ+rE3vadM9ZGuGFgsXCVptayQBmCnbBnwf2harKkPNyqXD+ylUjr/1rWayjz/
zMM+o8r5PNKuefDa8E80KZFavql7WtHGiwiJvAv43JszvvPgWTF6mFtckugmxbWk
Yc7p2xdi2pvDFoDM1+fyeD1zu+MUR/vsnj3g7OMz0/0TC4fZS/Chcg4dXvwgxGG4
WbJIb+Wm7EBgiU/pTmifmlhx1iFli7K5y2i03q3pp7/kxf9AvmnzHsinGCgNojSb
f1xLG6oDSCq08WiZozpq0+X5GUdn8H4gB5lBEaoKbtSpW4uWBnJWUZG/cI6YeOss
D1YKfYnMGdNXq1rWAFVGSmEgS9erUaZzFsrryd2Nnko54uLCGeFN5Ktj4vtXqnbL
Rs9Fmjb8qFk7bBxhgS+Chifo5D5R9bh9aHa6K2WZl7RwOlUWy2w=
=o2Og
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2eNvWaOgq3Tt24GAQhjShAAm3LKZWTdKb5JGPTOubSLMTS8fNFucgyB
foKvT+aV16ohH+3ZxjIAfi3Fv8hHp5FedjSL9HHAdS8dZ5J/ywZs80w2hNARrbdh
ZW3wCwUguLMqwb8uQDX9PK/zGHFc7sBKzsbaz0sDQp5xc+FuQwodepiIYRaqtbRd
rlaBJZQbPT6qC/TY9nRvOlb4lR3AnY+eKP7eRlPvcwWXPJCTnnx0EjYC6dz55wGE
0Te8c6NHbLr7T6U6MIZ23z3lalpCG5h7XMW7/TknaKm6eIqJwzs+nwnB2vhGFYwB
Gud7p66mDgmSbGPKc2hUkIxhCIYn5s42D2yM/qAOp3Ub9h6TDdH9+vB1SQdhpYIn
1RESekZEiUR6e8Qhl4cJy2E/QpLsQqqwpjTCLjbFu69Sp1xi+P2TEFgTZdJcPTg0
20Tl80fhqltWc77vV7pbO0tVjkZel7o+fx/PGNDJipHPEN48/FQPfcLckPPs6HgY
4EO1xDnVncfsPc47CKlAHjRl1KqWZZmR39JpU4C1QftrjwW5C5zp+5vHOFKydXDQ
j9Y/Zvyoty1PRp4kzBKy69fdEz43o3HnqaGx95+6qSIznOOU5FqAwT9+TO+Fs0le
myRVENS2NIFdvMi1t7o13TJMKe2GUju4bNo5wHLRsuHBha0S6jvZ92Qr9f//TNvb
pS+XOwXw/4c=
=z1f6
-----END PGP SIGNATURE-----

« Back to bulletins