From a97854067e4ee55f1a86a6d469aade4ac6803c5d Mon Sep 17 00:00:00 2001 From: fandeyuan Date: Thu, 26 Sep 2024 11:10:31 +0800 Subject: [PATCH] fix CVE-2024-23454 (cherry picked from commit e8964e952659f2c7032887746946c9ef7d84e6e4) --- 04-Enhance-access-control-for-RunJar.patch | 57 ++++++++++++++++++++++ hadoop.spec | 6 ++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 04-Enhance-access-control-for-RunJar.patch diff --git a/04-Enhance-access-control-for-RunJar.patch b/04-Enhance-access-control-for-RunJar.patch new file mode 100644 index 0000000..7439324 --- /dev/null +++ b/04-Enhance-access-control-for-RunJar.patch @@ -0,0 +1,57 @@ +From aafa13bb48274971780d564fc2f2471f0064f734 Mon Sep 17 00:00:00 2001 +From: He Xiaoqiao +Date: Mon, 15 Jan 2024 16:01:08 +0800 +Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar. + +--- + .../main/java/org/apache/hadoop/util/RunJar.java | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +index c28e69f5..e527f602 100644 +--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java ++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +@@ -28,10 +28,14 @@ import java.net.MalformedURLException; + import java.net.URL; + import java.net.URLClassLoader; + import java.nio.file.Files; ++import java.nio.file.attribute.FileAttribute; ++import java.nio.file.attribute.PosixFilePermission; ++import java.nio.file.attribute.PosixFilePermissions; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Enumeration; + import java.util.List; ++import java.util.Set; + import java.util.jar.JarEntry; + import java.util.jar.JarFile; + import java.util.jar.JarInputStream; +@@ -287,20 +291,18 @@ public class RunJar { + + final File workDir; + try { +- workDir = File.createTempFile("hadoop-unjar", "", tmpDir); +- } catch (IOException ioe) { ++ FileAttribute> perms = PosixFilePermissions ++ .asFileAttribute(PosixFilePermissions.fromString("rwx------")); ++ workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile(); ++ } catch (IOException | SecurityException e) { + // If user has insufficient perms to write to tmpDir, default + // "Permission denied" message doesn't specify a filename. + System.err.println("Error creating temp dir in java.io.tmpdir " +- + tmpDir + " due to " + ioe.getMessage()); ++ + tmpDir + " due to " + e.getMessage()); + System.exit(-1); + return; + } + +- if (!workDir.delete()) { +- System.err.println("Delete failed for " + workDir); +- System.exit(-1); +- } + ensureDirectory(workDir); + + ShutdownHookManager.get().addShutdownHook( +-- +2.43.0 + diff --git a/hadoop.spec b/hadoop.spec index 7a6227b..a983826 100644 --- a/hadoop.spec +++ b/hadoop.spec @@ -11,7 +11,7 @@ %define _binaries_in_noarch_packages_terminate_build 0 Name: hadoop Version: 3.3.6 -Release: 4 +Release: 5 Summary: A software platform for processing vast amounts of data # The BSD license file is missing # https://issues.apache.org/jira/browse/HADOOP-9849 @@ -43,6 +43,7 @@ Source21: https://github.com/protocolbuffers/protobuf/archive/refs/tags/v3.11.0. Patch0: 01-lock-triple-beam-version-to-1.3.0.patch Patch1: 02-Upgrade-os-maven-plugin-to-1.7.1.patch Patch2: 03-Fix-build-on-riscv.patch +Patch3: 04-Enhance-access-control-for-RunJar.patch %ifarch riscv64 Patch1000: 1000-Added-support-for-building-the-riscv64-protoc-binari.patch @@ -1204,6 +1205,9 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg %changelog +* Thu Sep 26 2024 Deyuan Fan - 3.3.6-5 +- fix CVE-2024-23454 + * Tue Jun 25 2024 Dingli Zhang - 3.3.6-4 - Remove riscv64 prebuilded files - Build protoc and protoc-gen-grpc-java in prep state for riscv64 -- Gitee