From b4ff678d829514d9e9613c9317aeebd2c2285564 Mon Sep 17 00:00:00 2001
From: lixiaoyong <lixiaoyong@kylinos.cn>
Date: Mon, 31 Mar 2025 22:20:47 -0400
Subject: [PATCH] fix CVE-2024-23953

---
 backport-CVE-2024-23953.patch | 38 +++++++++++++++++++++++++++++++++++
 hive.spec                     |  7 ++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-23953.patch

diff --git a/backport-CVE-2024-23953.patch b/backport-CVE-2024-23953.patch
new file mode 100644
index 0000000..a28d1d1
--- /dev/null
+++ b/backport-CVE-2024-23953.patch
@@ -0,0 +1,38 @@
+From b418e3c9f479ba8e7d31e6470306111002ffa809 Mon Sep 17 00:00:00 2001
+From: Denys Kuzmenko <deniskuzZ@gmail.com>
+Date: Thu, 25 Jan 2024 12:18:19 +0200
+Subject: [PATCH] HIVE-28030: LLAP util code refactor (Denys Kuzmenko, reviewed
+ by Ayush Saxena)
+
+Closes #5030
+---
+ .../apache/hadoop/hive/llap/security/LlapSignerImpl.java    | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapSignerImpl.java b/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapSignerImpl.java
+index a7fc398892..047e17686b 100644
+--- a/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapSignerImpl.java
++++ b/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapSignerImpl.java
+@@ -18,7 +18,7 @@
+ package org.apache.hadoop.hive.llap.security;
+ 
+ import java.io.IOException;
+-import java.util.Arrays;
++import java.security.MessageDigest;
+ 
+ import org.apache.hadoop.conf.Configuration;
+ import org.apache.hadoop.security.UserGroupInformation;
+@@ -58,7 +58,9 @@ public SignedMessage serializeAndSign(Signable message) throws IOException {
+   public void checkSignature(byte[] message, byte[] signature, int keyId)
+       throws SecurityException {
+     byte[] expectedSignature = secretManager.signWithKey(message, keyId);
+-    if (Arrays.equals(signature, expectedSignature)) return;
++    if (MessageDigest.isEqual(signature, expectedSignature)) {
++      return;
++    }
+     throw new SecurityException("Message signature does not match");
+   }
+ 
+-- 
+2.27.0
+
diff --git a/hive.spec b/hive.spec
index f206752..74a8720 100644
--- a/hive.spec
+++ b/hive.spec
@@ -2,7 +2,7 @@
 
 Name:          hive
 Version:       3.1.3
-Release:       6
+Release:       7
 Summary:       The Apache Hadoop data warehouse
 
 License:       Apache-2.0 and Python-2.0 and MPL-2.0 and BSD and ICU
@@ -23,6 +23,7 @@ BuildArch:     noarch
 
 Patch1000: 1000-Add-protoc-java-support-for-riscv64.patch
 Patch1001: backport-CVE-2024-29869.patch
+Patch1002: backport-CVE-2024-23953.patch
 
 %description
 The Apache Hive data warehouse software facilitates querying and 
@@ -38,6 +39,7 @@ tar -mxf %{SOURCE5} -C ${HOME}/%{name}-prep_dir
 pushd ${HOME}/%{name}-prep_dir/protoc-jar-3.5.1.1
 %patch 1000 -p1
 %patch 1001 -p1
+%patch 1002 -p1
 mvn clean install -Dmaven.test.skip=true -Dmaven.javadoc.skip=true
 popd
 # protoc-jar-maven-plugin
@@ -145,6 +147,9 @@ ln -s %{_javadir}/%{name}/%{name}-shims.jar %{buildroot}%{_datadir}/hadoop/mapre
 
 
 %changelog
+* Tue Apr 01 2025 lixiaoyong <lixiaoyong@kylinos.cn> - 3.1.3-7
+- fix CVE-2024-23953
+
 * Wed Mar 26 2025 lixiaoyong <lixiaoyong@kylinos.cn> - 3.1.3-6
 - fix CVE-2024-29869
 
-- 
Gitee