From 80f91e31edd60a5e7abb5c719b9c10e67c1920b8 Mon Sep 17 00:00:00 2001
From: lixiaoyong <lixiaoyong@kylinos.cn>
Date: Wed, 26 Mar 2025 01:58:32 -0400
Subject: [PATCH] fix CVE-2024-29869

---
 backport-CVE-2024-29869.patch | 43 +++++++++++++++++++++++++++++++++++
 hive.spec                     |  7 +++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-29869.patch

diff --git a/backport-CVE-2024-29869.patch b/backport-CVE-2024-29869.patch
new file mode 100644
index 0000000..78e542a
--- /dev/null
+++ b/backport-CVE-2024-29869.patch
@@ -0,0 +1,43 @@
+From 20106e254527f7d71b2e34455c4322e14950c620 Mon Sep 17 00:00:00 2001
+From: Ayush Saxena <ayushsaxena@apache.org>
+Date: Thu, 21 Mar 2024 10:56:21 +0530
+Subject: [PATCH] HIVE-28134: Improve SecureCmdDoAs. (#5140). (Ayush Saxena,
+ reviewed by Sourabh Badhya)
+
+---
+ .../org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java  | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
+index e9ede6abf6..a2e9dab885 100644
+--- a/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
++++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
+@@ -23,8 +23,10 @@
+ import java.net.URISyntaxException;
+ import java.util.Map;
+ 
++import org.apache.hadoop.fs.FSDataOutputStream;
+ import org.apache.hadoop.fs.FileSystem;
+ import org.apache.hadoop.fs.Path;
++import org.apache.hadoop.fs.permission.FsPermission;
+ import org.apache.hadoop.hive.conf.HiveConf;
+ import org.apache.hadoop.hive.ql.metadata.HiveException;
+ import org.apache.hadoop.hive.shims.ShimLoader;
+@@ -68,7 +70,13 @@ public SecureCmdDoAs(HiveConf conf) throws HiveException, IOException{
+     tokenPath = new Path(tokenFile.toURI());
+ 
+     //write credential with token to file
+-    cred.writeTokenStorageFile(tokenPath, conf);
++    FsPermission umask = FsPermission.getUMask(conf);
++    FsPermission targetPerm = FsPermission.createImmutable((short) 0700);
++
++    try (FSDataOutputStream os = tokenPath.getFileSystem(conf).createFile(tokenPath)
++        .permission(targetPerm.applyUMask(umask)).build()) {
++      cred.writeTokenStorageToStream(os, Credentials.SerializedFormat.WRITABLE);
++    }
+   }
+ 
+   public void addEnv(Map<String, String> env){
+-- 
+2.27.0
+
diff --git a/hive.spec b/hive.spec
index ecaed7d..f206752 100644
--- a/hive.spec
+++ b/hive.spec
@@ -2,7 +2,7 @@
 
 Name:          hive
 Version:       3.1.3
-Release:       5
+Release:       6
 Summary:       The Apache Hadoop data warehouse
 
 License:       Apache-2.0 and Python-2.0 and MPL-2.0 and BSD and ICU
@@ -22,6 +22,7 @@ Requires: java-1.8.0-openjdk
 BuildArch:     noarch
 
 Patch1000: 1000-Add-protoc-java-support-for-riscv64.patch
+Patch1001: backport-CVE-2024-29869.patch
 
 %description
 The Apache Hive data warehouse software facilitates querying and 
@@ -36,6 +37,7 @@ mkdir -p ${HOME}/%{name}-prep_dir
 tar -mxf %{SOURCE5} -C ${HOME}/%{name}-prep_dir
 pushd ${HOME}/%{name}-prep_dir/protoc-jar-3.5.1.1
 %patch 1000 -p1
+%patch 1001 -p1
 mvn clean install -Dmaven.test.skip=true -Dmaven.javadoc.skip=true
 popd
 # protoc-jar-maven-plugin
@@ -143,6 +145,9 @@ ln -s %{_javadir}/%{name}/%{name}-shims.jar %{buildroot}%{_datadir}/hadoop/mapre
 
 
 %changelog
+* Wed Mar 26 2025 lixiaoyong <lixiaoyong@kylinos.cn> - 3.1.3-6
+- fix CVE-2024-29869
+
 * Mon Dec 16 2024 litian <dev11105@linx-info.com> - 3.1.3-5
 - fix %patchN is deprecated warning
 
-- 
Gitee