From 3f5d6778cfcbeee4926eff5f2a23af7e3ecc1057 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Thu, 13 May 2021 10:05:45 +0800 Subject: [PATCH] fix CVE-2020-9492 (cherry picked from commit 351c3cde20a4316c6c960c64dee6b45354adffe8) --- CVE-2020-9492.patch | 53 +++++++++++++++++++++++++++++++++++++++++++++ hadoop.spec | 7 +++--- 2 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 CVE-2020-9492.patch diff --git a/CVE-2020-9492.patch b/CVE-2020-9492.patch new file mode 100644 index 0000000..43cb4e4 --- /dev/null +++ b/CVE-2020-9492.patch @@ -0,0 +1,53 @@ +From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001 +From: Eric Yang +Date: Mon, 15 Jun 2020 10:55:26 +0900 +Subject: [PATCH] SPNEGO TLS verification + +Signed-off-by: Akira Ajisaka +--- + .../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java +index b316bf1..b34ce82 100644 +--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java ++++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java +@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem + + "/v" + VERSION; + public static final String EZ_HEADER = "X-Hadoop-Accept-EZ"; + public static final String FEFINFO_HEADER = "X-Hadoop-feInfo"; ++ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy"; + + /** + * Default connection factory may be overridden in tests to use smaller +@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem + + private DFSOpsCountStatistics storageStatistics; + private KeyProvider testProvider; ++ private boolean isTLSKrb; + + /** + * Return the protocol scheme for the FileSystem. +@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem + .newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf); + } + ++ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY)); + + ugi = UserGroupInformation.getCurrentUser(); + this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority()); +@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem + //redirect hostname and port + redirectHost = null; + ++ if (url.getProtocol().equals("http") && ++ UserGroupInformation.isSecurityEnabled() && ++ isTLSKrb) { ++ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY."); ++ } + + // resolve redirects for a DN operation unless already resolved + if (op.getRedirect() && !redirected) { +-- +2.23.0 + diff --git a/hadoop.spec b/hadoop.spec index d6330fa..80b0a78 100644 --- a/hadoop.spec +++ b/hadoop.spec @@ -31,6 +31,7 @@ Source10: %{name}-core-site.xml Source11: %{name}-hdfs-site.xml Source12: %{name}-mapred-site.xml Source13: %{name}-yarn-site.xml +Patch0: CVE-2020-9492.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel @@ -1108,10 +1109,10 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg %changelog -* Wed May 11 2021 Ge Wang -3.2.1-7 -- Remove redundancy install requires +* Thu May 13 2021 wangyue - 3.2.1-7 +- Fix CVE-2020-9492 -* Fri Apr 16 2021 Ge Wang -3.2.1-6 +* Fri Apr 16 2021 Ge Wang - 3.2.1-6 - Build with local leveldbjni package instead of package in remote repository * Thu Apr 08 2021 Ge Wang - 3.2.1-5 -- Gitee