diff --git a/0006-Enhance-access-control-for-RunJar.patch b/0006-Enhance-access-control-for-RunJar.patch new file mode 100644 index 0000000000000000000000000000000000000000..a3b82924cb67a651610a43122cd29cdde261d9be --- /dev/null +++ b/0006-Enhance-access-control-for-RunJar.patch @@ -0,0 +1,58 @@ +From 7c30e7ffb65f9a58a85b3b556f8c0de04c1b4b20 Mon Sep 17 00:00:00 2001 +From: He Xiaoqiao +Date: Mon, 15 Jan 2024 16:01:08 +0800 +Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar. + +--- + .../java/org/apache/hadoop/util/RunJar.java | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +index 239d464..20c2d13 100644 +--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java ++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java +@@ -28,10 +28,15 @@ import java.lang.reflect.Method; + import java.net.MalformedURLException; + import java.net.URL; + import java.net.URLClassLoader; ++import java.nio.file.Files; ++import java.nio.file.attribute.FileAttribute; ++import java.nio.file.attribute.PosixFilePermission; ++import java.nio.file.attribute.PosixFilePermissions; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Enumeration; + import java.util.List; ++import java.util.Set; + import java.util.jar.JarEntry; + import java.util.jar.JarFile; + import java.util.jar.JarInputStream; +@@ -278,20 +283,18 @@ public class RunJar { + + final File workDir; + try { +- workDir = File.createTempFile("hadoop-unjar", "", tmpDir); +- } catch (IOException ioe) { ++ FileAttribute> perms = PosixFilePermissions ++ .asFileAttribute(PosixFilePermissions.fromString("rwx------")); ++ workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile(); ++ } catch (IOException | SecurityException e) { + // If user has insufficient perms to write to tmpDir, default + // "Permission denied" message doesn't specify a filename. + System.err.println("Error creating temp dir in java.io.tmpdir " +- + tmpDir + " due to " + ioe.getMessage()); ++ + tmpDir + " due to " + e.getMessage()); + System.exit(-1); + return; + } + +- if (!workDir.delete()) { +- System.err.println("Delete failed for " + workDir); +- System.exit(-1); +- } + ensureDirectory(workDir); + + ShutdownHookManager.get().addShutdownHook( +-- +2.43.0 + diff --git a/hadoop-3.1.spec b/hadoop-3.1.spec index 3a16db87c49e12c9749277dc4708edf3ee3b9d2c..2e4fd4ff10398f5c7889e1f06b077cf81993f826 100644 --- a/hadoop-3.1.spec +++ b/hadoop-3.1.spec @@ -12,7 +12,7 @@ %define _binaries_in_noarch_packages_terminate_build 0 Name: hadoop-3.1 Version: 3.1.4 -Release: 8 +Release: 9 Summary: A software platform for processing vast amounts of data # The BSD license file is missing # https://issues.apache.org/jira/browse/HADOOP-9849 @@ -38,7 +38,7 @@ Patch2: 0002-bugfix-invalid-variable-name.patch Patch3: 0003-compatible-with-gcc12.patch Patch4: 0004-fix_build_issue_on_riscv.patch Patch5: 0005-upgrade_os-maven_plugin_to_1.7.1.patch - +Patch6: 0006-Enhance-access-control-for-RunJar.patch BuildRoot: %{_tmppath}/%{real_name}-%{version}-%{release}-root BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel @@ -1130,6 +1130,9 @@ fi %config(noreplace) %{_sysconfdir}/%{real_name}/container-executor.cfg %changelog +* Mon Oct 14 2024 Deyuan Fan - 3.1.4-9 +- fix CVE-2024-23454 + * Sun May 12 2024 Dingli Zhang - 3.1.4-8 - Fix build on riscv64 - Upgrade os-maven-plugin to 1.7.1