From 0c53fd360b9eb439ed42c130791437755c31a7cc Mon Sep 17 00:00:00 2001 From: fandeyuan Date: Thu, 26 Sep 2024 16:50:26 +0800 Subject: [PATCH] fix CVE-2024-23454 (cherry picked from commit 8de1403fff681c2ac772ad315e49accc4f890bc1) --- 02-Enhance-access-control-for-RunJar.patch | 57 ++++++++++++++++++++++ hadoop.spec | 6 ++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 02-Enhance-access-control-for-RunJar.patch diff --git a/02-Enhance-access-control-for-RunJar.patch b/02-Enhance-access-control-for-RunJar.patch new file mode 100644 index 0000000..3c9b103 --- /dev/null +++ b/02-Enhance-access-control-for-RunJar.patch @@ -0,0 +1,57 @@ +From 8264c61a32256e6cf98d4add19892449184a3bdf Mon Sep 17 00:00:00 2001 +From: He Xiaoqiao +Date: Mon, 15 Jan 2024 16:01:08 +0800 +Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar. + +--- + .../main/java/org/apache/hadoop/util/RunJar.java | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +index c28e69f5..e527f602 100644 +--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java ++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +@@ -28,10 +28,14 @@ import java.net.MalformedURLException; + import java.net.URL; + import java.net.URLClassLoader; + import java.nio.file.Files; ++import java.nio.file.attribute.FileAttribute; ++import java.nio.file.attribute.PosixFilePermission; ++import java.nio.file.attribute.PosixFilePermissions; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Enumeration; + import java.util.List; ++import java.util.Set; + import java.util.jar.JarEntry; + import java.util.jar.JarFile; + import java.util.jar.JarInputStream; +@@ -287,20 +291,18 @@ public class RunJar { + + final File workDir; + try { +- workDir = File.createTempFile("hadoop-unjar", "", tmpDir); +- } catch (IOException ioe) { ++ FileAttribute> perms = PosixFilePermissions ++ .asFileAttribute(PosixFilePermissions.fromString("rwx------")); ++ workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile(); ++ } catch (IOException | SecurityException e) { + // If user has insufficient perms to write to tmpDir, default + // "Permission denied" message doesn't specify a filename. + System.err.println("Error creating temp dir in java.io.tmpdir " +- + tmpDir + " due to " + ioe.getMessage()); ++ + tmpDir + " due to " + e.getMessage()); + System.exit(-1); + return; + } + +- if (!workDir.delete()) { +- System.err.println("Delete failed for " + workDir); +- System.exit(-1); +- } + ensureDirectory(workDir); + + ShutdownHookManager.get().addShutdownHook( +-- +2.43.0 + diff --git a/hadoop.spec b/hadoop.spec index 72a0ac6..21581d5 100644 --- a/hadoop.spec +++ b/hadoop.spec @@ -11,7 +11,7 @@ %define _binaries_in_noarch_packages_terminate_build 0 Name: hadoop Version: 3.3.6 -Release: 2 +Release: 3 Summary: A software platform for processing vast amounts of data # The BSD license file is missing # https://issues.apache.org/jira/browse/HADOOP-9849 @@ -37,6 +37,7 @@ Source16: node-v12.22.1-linux-arm64.tar.gz Source17: settings.xml Patch0: 01-lock-triple-beam-version-to-1.3.0.patch +Patch1: 02-Enhance-access-control-for-RunJar.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel @@ -1145,6 +1146,9 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg %changelog +* Thu Sep 26 2024 Deyuan Fan - 3.3.6-3 +- fix CVE-2024-23454 + * Fri Dec 15 2023 xiexing - 3.3.6-2 - add conflicts to hadoop spec -- Gitee