diff --git a/backport-CVE-2022-34916.patch b/backport-CVE-2022-34916.patch new file mode 100644 index 0000000000000000000000000000000000000000..be212685139cca1326d83394dfad4c7991746d09 --- /dev/null +++ b/backport-CVE-2022-34916.patch @@ -0,0 +1,101 @@ +From 547bab53e4956653fbea32d1b88af5dc3b582db4 Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 22 Aug 2022 16:05:52 +0800 +Subject: [PATCH] FLUME-3428 - Validate the parameter + +author Ralph Goers +Sat, 30 Jul 2022 16:16:17 +0800 (01:16 -0700) +committer Ralph Goers +Sat, 30 Jul 2022 16:16:17 +0800 (01:16 -0700) +--- + .../flume/source/jms/JMSMessageConsumer.java | 15 +++++++++++++++ + .../source/jms/JMSMessageConsumerTestBase.java | 8 +++++++- + .../flume/source/jms/TestJMSMessageConsumer.java | 6 ++++++ + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java b/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java +index 645cbcc..5375bd0 100644 +--- a/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java ++++ b/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java +@@ -35,11 +35,14 @@ import javax.jms.Session; + import javax.jms.Topic; + import javax.naming.InitialContext; + import javax.naming.NamingException; ++import java.net.URI; ++import java.net.URISyntaxException; + import java.util.ArrayList; + import java.util.List; + + class JMSMessageConsumer { + private static final Logger logger = LoggerFactory.getLogger(JMSMessageConsumer.class); ++ private static final String JAVA_SCHEME = "java"; + + private final int batchSize; + private final long pollTimeout; +@@ -99,6 +102,14 @@ class JMSMessageConsumer { + throw new IllegalStateException(String.valueOf(destinationType)); + } + } else { ++ try { ++ URI uri = new URI(destinationName); ++ String scheme = uri.getScheme(); ++ assertTrue(scheme == null || scheme.equals(JAVA_SCHEME), ++ "Unsupported JNDI URI: " + destinationName); ++ } catch (URISyntaxException ex) { ++ logger.warn("Invalid JNDI URI - {}", destinationName); ++ } + destination = (Destination) initialContext.lookup(destinationName); + } + } catch (JMSException e) { +@@ -209,4 +220,8 @@ class JMSMessageConsumer { + logger.error("Could not destroy connection", e); + } + } ++ ++ private void assertTrue(boolean arg, String msg) { ++ Preconditions.checkArgument(arg, msg); ++ } + } +diff --git a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java +index b3bce78..aa96458 100644 +--- a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java ++++ b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java +@@ -129,11 +129,17 @@ public abstract class JMSMessageConsumerTestBase { + } + } + +- JMSMessageConsumer create() { ++ JMSMessageConsumer create(JMSDestinationType destinationType, ++ JMSDestinationLocator destinationLocator, String destinationName) { + return new JMSMessageConsumer(WONT_USE, connectionFactory, destinationName, + destinationLocator, destinationType, messageSelector, batchSize, + pollTimeout, converter, userName, password, Optional.absent(), false, ""); + } ++ ++ JMSMessageConsumer create() { ++ return create(this.destinationType, this.destinationLocator, this.destinationName); ++ } ++ + @After + public void tearDown() throws Exception { + beforeTearDown(); +diff --git a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java +index e7c5f29..636ffc3 100644 +--- a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java ++++ b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java +@@ -93,6 +93,12 @@ public class TestJMSMessageConsumer extends JMSMessageConsumerTestBase { + verify(connection).close(); + } + } ++ ++ @Test(expected = IllegalArgumentException.class) ++ public void testInvalidDestination() throws Exception { ++ create(null, JMSDestinationLocator.JNDI, "ldap://localhost:389/test"); ++ } ++ + @Test(expected = IllegalArgumentException.class) + public void testInvalidBatchSizeZero() throws Exception { + batchSize = 0; +-- +2.33.0 + diff --git a/flume.spec b/flume.spec index b6b93a7f72f40eb1fd6ab625eb64e103e4886eaf..8e275c6a68beac96298470cce187fc5251b1b33b 100644 --- a/flume.spec +++ b/flume.spec @@ -1,6 +1,6 @@ Name: flume Version: 1.10.0 -Release: 1 +Release: 2 Summary: Apache Flume is a distributed, reliable, and availble service for efficiently collecting, aggregating, and moving large amounts of log data. License: Public Domain and MIT and Apache 2.0 @@ -14,6 +14,8 @@ Source4: eigenbase-properties-1.1.4.jar Source5: linq4j-0.4.jar Source6: quidem-0.1.1.jar +Patch6000: backport-CVE-2022-34916.patch + BuildRequires: java-1.8.0-openjdk-devel maven xmvn xmvn-install gradle-local maven-local Requires: java-1.8.0-openjdk @@ -28,7 +30,7 @@ allows for intelligent dynamic management. It uses a simple extensible data mode for online analytic application. %prep -%setup -q -n apache-flume-1.10.0-src +%autosetup -n apache-flume-1.10.0-src -p1 mvn install:install-file -DgroupId=ua_parser -DartifactId=ua-parser -Dversion=1.3.0 -Dpackaging=jar -Dfile=%{SOURCE1} mvn install:install-file -DgroupId=org.pentaho -DartifactId=pentaho-aggdesigner-algorithm -Dversion=5.1.5-jhyde -Dpackaging=jar -Dfile=%{SOURCE2} mvn install:install-file -DgroupId=eigenbase -DartifactId=eigenbase-properties -Dversion=1.1.4 -Dpackaging=jar -Dfile=%{SOURCE4} @@ -95,6 +97,12 @@ popd %dir %{_javadir}/%{name} %changelog +* Mon Aug 22 2022 yinyongkang - 1.10.0-2 +- Type:CVE +- ID:CVE-2022-34916 +- SUG:NA +- DESC:Fix CVE-2022-34916 + * Wed Aug 3 2022 xiexing - 1.10.0-1 - fix cve problem