From a0c6ff257a07afbbc5e83e9dfdad870bac3857ca Mon Sep 17 00:00:00 2001 From: fandeyuan Date: Thu, 26 Sep 2024 17:26:11 +0800 Subject: [PATCH] fix CVE-2024-23454 --- 00-Enhance-access-control-for-RunJar.patch | 57 ++++++++++++++++++++++ hadoop.spec | 7 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 00-Enhance-access-control-for-RunJar.patch diff --git a/00-Enhance-access-control-for-RunJar.patch b/00-Enhance-access-control-for-RunJar.patch new file mode 100644 index 0000000..ed1e85b --- /dev/null +++ b/00-Enhance-access-control-for-RunJar.patch @@ -0,0 +1,57 @@ +From 7c30e7ffb65f9a58a85b3b556f8c0de04c1b4b20 Mon Sep 17 00:00:00 2001 +From: He Xiaoqiao +Date: Mon, 15 Jan 2024 16:01:08 +0800 +Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar. + +--- + .../main/java/org/apache/hadoop/util/RunJar.java | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +index c28e69f5..e527f602 100644 +--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java ++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +@@ -28,10 +28,14 @@ import java.net.MalformedURLException; + import java.net.URL; + import java.net.URLClassLoader; + import java.nio.file.Files; ++import java.nio.file.attribute.FileAttribute; ++import java.nio.file.attribute.PosixFilePermission; ++import java.nio.file.attribute.PosixFilePermissions; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Enumeration; + import java.util.List; ++import java.util.Set; + import java.util.jar.JarEntry; + import java.util.jar.JarFile; + import java.util.jar.JarInputStream; +@@ -287,20 +291,18 @@ public class RunJar { + + final File workDir; + try { +- workDir = File.createTempFile("hadoop-unjar", "", tmpDir); +- } catch (IOException ioe) { ++ FileAttribute> perms = PosixFilePermissions ++ .asFileAttribute(PosixFilePermissions.fromString("rwx------")); ++ workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile(); ++ } catch (IOException | SecurityException e) { + // If user has insufficient perms to write to tmpDir, default + // "Permission denied" message doesn't specify a filename. + System.err.println("Error creating temp dir in java.io.tmpdir " +- + tmpDir + " due to " + ioe.getMessage()); ++ + tmpDir + " due to " + e.getMessage()); + System.exit(-1); + return; + } + +- if (!workDir.delete()) { +- System.err.println("Delete failed for " + workDir); +- System.exit(-1); +- } + ensureDirectory(workDir); + + ShutdownHookManager.get().addShutdownHook( +-- +2.43.0 + diff --git a/hadoop.spec b/hadoop.spec index 4edbd51..0a89dfd 100644 --- a/hadoop.spec +++ b/hadoop.spec @@ -13,7 +13,7 @@ Name: hadoop Version: 3.3.4 -Release: 3 +Release: 4 Summary: A software platform for processing vast amounts of data # The BSD license file is missing # https://issues.apache.org/jira/browse/HADOOP-9849 @@ -37,6 +37,8 @@ Source14: yarn-v1.22.5.tar.gz Source15: node-12.22.1-linux-x64.tar.gz Source16: node-v12.22.1-linux-arm64.tar.gz +Patch0: 00-Enhance-access-control-for-RunJar.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel BuildRequires: cyrus-sasl-devel chrpath systemd protobuf2-compiler protobuf2-devel protobuf2-java protobuf2 @@ -1131,6 +1133,9 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg %changelog +* Tue Jan 7 2025 Deyuan Fan - 3.3.4-4 +- fix CVE-2024-23454 + * Wed Jan 1 2025 xuduo - 3.3.4-3 - fix compile failure -- Gitee