packages/spark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-23945

Browse Source
This commit is contained in:
changtao 2024-11-19 22:45:09 +08:00
parent edf5d286da
commit f7baec6631
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
backport-CVE-2024-23945.patch Normal file
View File

@ -0,0 +1,51 @@
From cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Mon Sep 17 00:00:00 2001
From: Sean Owen <srowen@gmail.com>
Date: Tue, 17 Oct 2023 16:10:56 -0700
Subject: [PATCH] [MINOR][SQL] Remove signature from Hive thriftserver
exception
### What changes were proposed in this pull request?
Don't return expected signature to caller in Hive thriftserver exception
### Why are the changes needed?
Please see private discussion
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
Existing tests
### Was this patch authored or co-authored using generative AI tooling?
No
Closes #43402 from srowen/HiveCookieSigner.
Authored-by: Sean Owen <srowen@gmail.com>
Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
---
.../src/main/java/org/apache/hive/service/CookieSigner.java | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
index 782e47a6..4b8d2cb1 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
@@ -81,8 +81,7 @@ public class CookieSigner {
LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature);
}
if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
- throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
- " current = " + currentSignature);
+ throw new IllegalArgumentException("Invalid sign");
}
return rawValue;
}
--
2.41.0

10
spark.spec
View File

@ -4,7 +4,7 @@
Summary: A unified analytics engine for large-scale data processing. Summary: A unified analytics engine for large-scale data processing.
Name: spark Name: spark
Version: 3.5.0 Version: 3.5.0
Release: 4 Release: 5
License: Apache 2.0 License: Apache 2.0
URL: http://spark.apache.org/ URL: http://spark.apache.org/
Source0: https://github.com/apache/spark/archive/v%{version}.tar.gz Source0: https://github.com/apache/spark/archive/v%{version}.tar.gz
@ -16,6 +16,7 @@ Source5: https://github.com/google/protobuf/releases/download/v21.7/protobuf-all
Source6: https://github.com/grpc/grpc-java/archive/refs/tags/v1.56.0.tar.gz Source6: https://github.com/grpc/grpc-java/archive/refs/tags/v1.56.0.tar.gz
Patch0001: 0001-change-mvn-scalafmt.patch Patch0001: 0001-change-mvn-scalafmt.patch
Patch0002: 0002-Upgrade-os-maven-plugin-to-1.7.1.patch Patch0002: 0002-Upgrade-os-maven-plugin-to-1.7.1.patch
Patch0003: backport-CVE-2024-23945.patch
%ifarch riscv64 %ifarch riscv64
BuildRequires: protobuf-devel protobuf-compiler BuildRequires: protobuf-devel protobuf-compiler
@ -76,6 +77,7 @@ popd
%patch0001 -p1 %patch0001 -p1
%patch0002 -p1 %patch0002 -p1
%patch0003 -p1
%ifarch riscv64 %ifarch riscv64
sed -i -e 's/protoVersion = "3.23.4/protoVersion = "'${PROTOC_VERSION}/'' project/SparkBuild.scala sed -i -e 's/protoVersion = "3.23.4/protoVersion = "'${PROTOC_VERSION}/'' project/SparkBuild.scala
@ -97,6 +99,12 @@ cp -rf ../%{name}-%{version} %{buildroot}/opt/apache-%{name}-%{version}
%changelog %changelog
* Thu Jan 2025 changtao <changtao@kylinos.cn> - 3.5.0-5
- Type: CVE
- CVE: CVE-2024-23945
- SUG: NA
- DESC: fix CVE-2024-23945
* Tue Oct 15 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 3.5.0-4 * Tue Oct 15 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 3.5.0-4
- add loongarch64 to ExclusiveArch - add loongarch64 to ExclusiveArch