diff --git a/CVE-2024-47561.patch b/CVE-2024-47561.patch deleted file mode 100644 index 3d0fced2db63edcc68cc227292f54b370e4fc9d3..0000000000000000000000000000000000000000 --- a/CVE-2024-47561.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 8f89868d29272e3afea2ff8de8c85cb81a57d900 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?JB=20Onofr=C3=A9?= -Date: Wed, 26 Jun 2024 15:16:40 +0200 -Subject: [PATCH] AVRO-3985: Add trusted packages support in SpecificData - (#2980) - ---- - .../org/apache/avro/reflect/ReflectData.java | 10 ---- - .../avro/specific/SpecificDatumReader.java | 47 ++++++++++++++++++- - 2 files changed, 46 insertions(+), 11 deletions(-) - -diff --git a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java -index ec490979477..8cfbdb0529c 100644 ---- a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java -+++ b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java -@@ -427,16 +427,6 @@ private FieldAccessor getFieldAccessor(Class c, String fieldName) { - return null; - } - -- /** @deprecated Replaced by {@link SpecificData#CLASS_PROP} */ -- @Deprecated -- static final String CLASS_PROP = "java-class"; -- /** @deprecated Replaced by {@link SpecificData#KEY_CLASS_PROP} */ -- @Deprecated -- static final String KEY_CLASS_PROP = "java-key-class"; -- /** @deprecated Replaced by {@link SpecificData#ELEMENT_PROP} */ -- @Deprecated -- static final String ELEMENT_PROP = "java-element-class"; -- - private static final Map CLASS_CACHE = new ConcurrentHashMap<>(); - - static Class getClassProp(Schema schema, String prop) { -diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java -index d924c8e04b7..8950f165991 100644 ---- a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java -+++ b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java -@@ -24,12 +24,25 @@ - import org.apache.avro.io.ResolvingDecoder; - import org.apache.avro.util.ClassUtils; - import java.io.IOException; -+import java.util.ArrayList; -+import java.util.Arrays; -+import java.util.List; - - /** - * {@link org.apache.avro.io.DatumReader DatumReader} for generated Java - * classes. - */ - public class SpecificDatumReader extends GenericDatumReader { -+ -+ public static final String[] SERIALIZABLE_PACKAGES; -+ -+ static { -+ SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES", -+ "java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(","); -+ } -+ -+ private final List trustedPackages = new ArrayList<>(); -+ - public SpecificDatumReader() { - this(null, null, SpecificData.get()); - } -@@ -55,6 +68,7 @@ public SpecificDatumReader(Schema writer, Schema reader) { - */ - public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) { - super(writer, reader, data); -+ trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES)); - } - - /** Construct given a {@link SpecificData}. */ -@@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String prop) { - if (name == null) - return null; - try { -- return ClassUtils.forName(getData().getClassLoader(), name); -+ Class clazz = ClassUtils.forName(getData().getClassLoader(), name); -+ checkSecurity(clazz); -+ return clazz; - } catch (ClassNotFoundException e) { - throw new AvroRuntimeException(e); - } - } - -+ private boolean trustAllPackages() { -+ return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0))); -+ } -+ -+ private void checkSecurity(Class clazz) throws ClassNotFoundException { -+ if (trustAllPackages() || clazz.isPrimitive()) { -+ return; -+ } -+ -+ boolean found = false; -+ Package thePackage = clazz.getPackage(); -+ if (thePackage != null) { -+ for (String trustedPackage : getTrustedPackages()) { -+ if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) { -+ found = true; -+ break; -+ } -+ } -+ if (!found) { -+ throw new SecurityException("Forbidden " + clazz -+ + "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust."); -+ } -+ } -+ } -+ -+ public final List getTrustedPackages() { -+ return trustedPackages; -+ } -+ - @Override - protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException { - SpecificData data = getSpecificData(); diff --git a/avro-release-1.11.3.tar.gz b/avro-release-1.11.3.tar.gz deleted file mode 100644 index 367470a47fb56faaaa190cde1e5f3012392d24c4..0000000000000000000000000000000000000000 Binary files a/avro-release-1.11.3.tar.gz and /dev/null differ diff --git a/avro-release-1.12.0.tar.gz b/avro-release-1.12.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..9cf75346c1af6d90a9bed04db7d1cbb52ec0254d Binary files /dev/null and b/avro-release-1.12.0.tar.gz differ diff --git a/avro.spec b/avro.spec index a9a3f2ff65f05b08c72945e43829747611796ee8..a9576d3b37b1956a72ab6797a466385f7220ccf1 100644 --- a/avro.spec +++ b/avro.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Name: avro -Version: 1.11.3 +Version: 1.12.0 Release: 1 Summary: Data serialization system License: Apache-2.0 @@ -11,12 +11,11 @@ URL: http://avro.apache.org Source0: https://github.com/apache/avro/archive/refs/tags/avro-release-%{version}.tar.gz # file xmvn-reactor required by mvn_install to specify which jar package should be put in rpm Source1: xmvn-reactor -Patch3002: CVE-2024-47561.patch ExclusiveArch: aarch64 x86_64 -BuildRequires: maven maven-local java-1.8.0-openjdk-devel -Requires: java-1.8.0-openjdk +BuildRequires: maven maven-local java-11-openjdk-devel +Requires: java-11-openjdk %description Apache Avro is a data serialization system. @@ -40,13 +39,19 @@ sed -i 's/\//\\\//g' absolute_prefix.log absolute_prefix=`head -n 1 absolute_prefix.log` sed -i 's/absolute-prefix/'"$absolute_prefix"'/g' .xmvn-reactor %pom_remove_plugin -r :maven-enforcer-plugin +%pom_remove_plugin -r :maven-jar-plugin +%pom_remove_plugin -r :maven-toolchains-plugin +%pom_remove_plugin -r :maven-checkstyle-plugin +%pom_remove_plugin -r :exec-maven-plugin +%pom_remove_plugin -r :spotless-maven-plugin %build +export JAVA_HOME=%{_jvmdir}/java-11-openjdk for module in avro compiler maven-plugin ipc ipc-jetty ipc-netty tools mapred protobuf thrift archetypes grpc integration-test perf;do pushd lang/java/${module} mvn package -Dcheckstyle.skip=true -Dmaven.test.skip=true -Dhadoop.version=%{HADOOP_VERSION} -P hadoop2 popd -done +done pushd lang/java/trevni/avro mvn package -Dcheckstyle.skip=true -Dmaven.test.skip=true -Dhadoop.version=%{HADOOP_VERSION} -P hadoop2 @@ -83,6 +88,7 @@ pushd lang/java/tools/target rm -rf linux/arm rm -rf linux/mips64 rm -rf linux/loongarch64 + rm -rf linux/riscv64 %endif %ifarch aarch64 rm -rf freebsd/i386 @@ -90,6 +96,7 @@ pushd lang/java/tools/target rm -rf linux/i386 rm -rf linux/amd64 rm -rf linux/loongarch64 + rm -rf linux/riscv64 rm -rf freebsd/amd64 rm -rf org/xerial/snappy/native/SunOS/x86_64 rm -rf org/xerial/snappy/native/SunOS/x86 @@ -107,15 +114,21 @@ popd %install %mvn_install -install -d -m 0755 %{buildroot}%{_datadir}/java/%{name} -install -m 0755 lang/java/tools/target/avro-tools-1.11.3-nodeps.jar %{buildroot}%{_datadir}/java/%{name}/avro-tools-nodeps.jar %files -f .mfiles %doc README.md %license LICENSE.txt NOTICE.txt -%{_datadir}/java/avro/avro-tools-nodeps.jar %changelog +* Mon Sep 22 2025 yaoxin <1024769339@qq.com> - 1.12.0-1 +- Update to 1.12.0: + * [AVRO-3490]: Fix IDE0016 Use throw expression + * [AVRO-3491]: Fix IDE0020 Use pattern matching to avoid 'is' check followed by a cast + * [AVRO-3497]: Fix IDE0075 Simplify conditional expression + * [AVRO-3499]: Fix IDE0079 Remove unnecessary suppression + * [AVRO-3232]: Rust deserializer: add missing matches to deserialize_any union and string/map + * [AVRO-3234]: Rust: Add new codec: zstandard + * Tue Nov 26 2024 Ge Wang - 1.11.3-1 - Update to version 1.11.3 diff --git a/xmvn-reactor b/xmvn-reactor index 664ce1100103b40ec1b9c5ccba685fdc5234810b..de2e8d044b89bdbe42d8f54bf227aada45b20341 100644 --- a/xmvn-reactor +++ b/xmvn-reactor @@ -4,8 +4,8 @@ org.apache.avro avro - 1.11.3 - absolute-prefix/lang/java/avro/target/avro-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/avro/target/avro-1.12.0.jar jar 1.6 @@ -15,7 +15,7 @@ org.apache.avro avro pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/avro/pom.xml jar @@ -26,8 +26,8 @@ org.apache.avro avro-compiler - 1.11.3 - absolute-prefix/lang/java/compiler/target/avro-compiler-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/compiler/target/avro-compiler-1.12.0.jar jar 1.6 @@ -37,7 +37,7 @@ org.apache.avro avro-compiler pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/compiler/pom.xml jar @@ -48,8 +48,8 @@ org.apache.avro avro-maven-plugin - 1.11.3 - absolute-prefix/lang/java/maven-plugin/target/avro-maven-plugin-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/maven-plugin/target/avro-maven-plugin-1.12.0.jar jar 1.6 @@ -59,7 +59,7 @@ org.apache.avro avro-maven-plugin pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/maven-plugin/pom.xml jar @@ -70,8 +70,8 @@ org.apache.avro avro-ipc - 1.11.3 - absolute-prefix/lang/java/ipc/target/avro-ipc-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/ipc/target/avro-ipc-1.12.0.jar jar 1.6 @@ -81,7 +81,7 @@ org.apache.avro avro-ipc pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/ipc/pom.xml jar @@ -92,8 +92,8 @@ org.apache.avro avro-ipc-jetty - 1.11.3 - absolute-prefix/lang/java/ipc-jetty/target/avro-ipc-jetty-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/ipc-jetty/target/avro-ipc-jetty-1.12.0.jar jar 1.6 @@ -103,7 +103,7 @@ org.apache.avro avro-ipc-jetty pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/ipc-jetty/pom.xml jar @@ -114,8 +114,8 @@ org.apache.avro avro-ipc-netty - 1.11.3 - absolute-prefix/lang/java/ipc-netty/target/avro-ipc-netty-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/ipc-netty/target/avro-ipc-netty-1.12.0.jar jar 1.6 @@ -125,7 +125,7 @@ org.apache.avro avro-ipc-netty pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/ipc-netty/pom.xml jar @@ -136,8 +136,8 @@ org.apache.avro trevni-core - 1.11.3 - absolute-prefix/lang/java/trevni/core/target/trevni-core-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/trevni/core/target/trevni-core-1.12.0.jar jar 1.6 @@ -147,7 +147,7 @@ org.apache.avro trevni-core pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/trevni/core/pom.xml jar @@ -158,8 +158,8 @@ org.apache.avro trevni-avro - 1.11.3 - absolute-prefix/lang/java/trevni/avro/target/trevni-avro-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/trevni/avro/target/trevni-avro-1.12.0.jar jar 1.6 @@ -169,7 +169,7 @@ org.apache.avro trevni-avro pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/trevni/avro/pom.xml jar @@ -180,8 +180,8 @@ org.apache.avro avro-tools - 1.11.3 - absolute-prefix/lang/java/tools/target/avro-tools-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/tools/target/avro-tools-1.12.0.jar jar 1.6 @@ -191,7 +191,7 @@ org.apache.avro avro-tools pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/tools/pom.xml jar @@ -202,8 +202,8 @@ org.apache.avro avro-mapred - 1.11.3 - absolute-prefix/lang/java/mapred/target/avro-mapred-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/mapred/target/avro-mapred-1.12.0.jar jar 1.6 @@ -213,7 +213,7 @@ org.apache.avro avro-mapred pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/mapred/pom.xml jar @@ -224,8 +224,8 @@ org.apache.avro avro-protobuf - 1.11.3 - absolute-prefix/lang/java/protobuf/target/avro-protobuf-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/protobuf/target/avro-protobuf-1.12.0.jar jar 1.6 @@ -235,7 +235,7 @@ org.apache.avro avro-protobuf pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/protobuf/pom.xml jar @@ -246,8 +246,8 @@ org.apache.avro avro-thrift - 1.11.3 - absolute-prefix/lang/java/thrift/target/avro-thrift-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/thrift/target/avro-thrift-1.12.0.jar jar 1.6 @@ -257,7 +257,7 @@ org.apache.avro avro-thrift pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/thrift/pom.xml jar @@ -268,8 +268,8 @@ org.apache.avro avro-service-archetype - 1.11.3 - absolute-prefix/lang/java/archetypes/avro-service-archetype/target/avro-service-archetype-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/archetypes/avro-service-archetype/target/avro-service-archetype-1.12.0.jar jar 1.6 @@ -279,7 +279,7 @@ org.apache.avro avro-service-archetype pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/archetypes/avro-service-archetype/pom.xml jar @@ -290,8 +290,8 @@ org.apache.avro avro-grpc - 1.11.3 - absolute-prefix/lang/java/grpc/target/avro-grpc-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/grpc/target/avro-grpc-1.12.0.jar jar 1.6 @@ -301,7 +301,7 @@ org.apache.avro avro-grpc pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/grpc/pom.xml jar @@ -312,8 +312,8 @@ org.apache.avro avro-perf - 1.11.3 - absolute-prefix/lang/java/perf/target/avro-perf-1.11.3.jar + 1.12.0 + absolute-prefix/lang/java/perf/target/avro-perf-1.12.0.jar jar 1.6 @@ -323,7 +323,7 @@ org.apache.avro avro-perf pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/perf/pom.xml jar @@ -335,7 +335,7 @@ org.apache.avro avro-parent pom - 1.11.3 + 1.12.0 absolute-prefix/lang/java/pom.xml jar @@ -347,7 +347,7 @@ org.apache.avro avro-toplevel pom - 1.11.3 + 1.12.0 absolute-prefix/pom.xml jar