From 7e44f8308271958c3614ddb8a8dd1ea13d29fdb9 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 10 Oct 2024 09:49:11 +0800 Subject: [PATCH] Fix CVE-2024-47561 (cherry picked from commit d6e355b683266451ffd8fa02ad4101c9a884ded6) --- CVE-2024-47561.patch | 115 +++++++++++++++++++++++++++++++++++++++++++ avro.spec | 6 ++- 2 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-47561.patch diff --git a/CVE-2024-47561.patch b/CVE-2024-47561.patch new file mode 100644 index 0000000..3d0fced --- /dev/null +++ b/CVE-2024-47561.patch @@ -0,0 +1,115 @@ +From 8f89868d29272e3afea2ff8de8c85cb81a57d900 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?JB=20Onofr=C3=A9?= +Date: Wed, 26 Jun 2024 15:16:40 +0200 +Subject: [PATCH] AVRO-3985: Add trusted packages support in SpecificData + (#2980) + +--- + .../org/apache/avro/reflect/ReflectData.java | 10 ---- + .../avro/specific/SpecificDatumReader.java | 47 ++++++++++++++++++- + 2 files changed, 46 insertions(+), 11 deletions(-) + +diff --git a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java +index ec490979477..8cfbdb0529c 100644 +--- a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java ++++ b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java +@@ -427,16 +427,6 @@ private FieldAccessor getFieldAccessor(Class c, String fieldName) { + return null; + } + +- /** @deprecated Replaced by {@link SpecificData#CLASS_PROP} */ +- @Deprecated +- static final String CLASS_PROP = "java-class"; +- /** @deprecated Replaced by {@link SpecificData#KEY_CLASS_PROP} */ +- @Deprecated +- static final String KEY_CLASS_PROP = "java-key-class"; +- /** @deprecated Replaced by {@link SpecificData#ELEMENT_PROP} */ +- @Deprecated +- static final String ELEMENT_PROP = "java-element-class"; +- + private static final Map CLASS_CACHE = new ConcurrentHashMap<>(); + + static Class getClassProp(Schema schema, String prop) { +diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java +index d924c8e04b7..8950f165991 100644 +--- a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java ++++ b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java +@@ -24,12 +24,25 @@ + import org.apache.avro.io.ResolvingDecoder; + import org.apache.avro.util.ClassUtils; + import java.io.IOException; ++import java.util.ArrayList; ++import java.util.Arrays; ++import java.util.List; + + /** + * {@link org.apache.avro.io.DatumReader DatumReader} for generated Java + * classes. + */ + public class SpecificDatumReader extends GenericDatumReader { ++ ++ public static final String[] SERIALIZABLE_PACKAGES; ++ ++ static { ++ SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES", ++ "java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(","); ++ } ++ ++ private final List trustedPackages = new ArrayList<>(); ++ + public SpecificDatumReader() { + this(null, null, SpecificData.get()); + } +@@ -55,6 +68,7 @@ public SpecificDatumReader(Schema writer, Schema reader) { + */ + public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) { + super(writer, reader, data); ++ trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES)); + } + + /** Construct given a {@link SpecificData}. */ +@@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String prop) { + if (name == null) + return null; + try { +- return ClassUtils.forName(getData().getClassLoader(), name); ++ Class clazz = ClassUtils.forName(getData().getClassLoader(), name); ++ checkSecurity(clazz); ++ return clazz; + } catch (ClassNotFoundException e) { + throw new AvroRuntimeException(e); + } + } + ++ private boolean trustAllPackages() { ++ return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0))); ++ } ++ ++ private void checkSecurity(Class clazz) throws ClassNotFoundException { ++ if (trustAllPackages() || clazz.isPrimitive()) { ++ return; ++ } ++ ++ boolean found = false; ++ Package thePackage = clazz.getPackage(); ++ if (thePackage != null) { ++ for (String trustedPackage : getTrustedPackages()) { ++ if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) { ++ found = true; ++ break; ++ } ++ } ++ if (!found) { ++ throw new SecurityException("Forbidden " + clazz ++ + "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust."); ++ } ++ } ++ } ++ ++ public final List getTrustedPackages() { ++ return trustedPackages; ++ } ++ + @Override + protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException { + SpecificData data = getSpecificData(); diff --git a/avro.spec b/avro.spec index 7d41435..5a9e76d 100644 --- a/avro.spec +++ b/avro.spec @@ -3,7 +3,7 @@ Name: avro Version: 1.10.2 -Release: 5 +Release: 6 Summary: Data serialization system License: Apache-2.0 URL: http://avro.apache.org @@ -13,6 +13,7 @@ Source0: https://github.com/apache/avro/archive/refs/tags/release-1.10. Source1: xmvn-reactor Patch3000: CVE-2021-43045.patch Patch3001: CVE-2023-39410.patch +Patch3002: CVE-2024-47561.patch ExclusiveArch: aarch64 x86_64 @@ -111,6 +112,9 @@ install -m 0755 lang/java/tools/target/avro-tools-1.10.2-nodeps.jar %{buildroot} %{_datadir}/java/avro/avro-tools-nodeps.jar %changelog +* Thu Oct 10 2024 yaoxin - 1.10.2-6 +- Fix CVE-2024-47561 + * Tue Jul 02 2024 wangkai <13474090681@163.com> - 1.10.2-5 - Fix CVE-2023-39410 -- Gitee