Fix CVE-2024-47561

(cherry picked from commit d6e355b683266451ffd8fa02ad4101c9a884ded6)
2024-10-10 09:49:11 +08:00 · 2024-10-10 09:49:11 +08:00 · 7e44f83082
commit 7e44f83082
parent 5a0a9ca8f6
2 changed files with 120 additions and 1 deletions
--- a/CVE-2024-47561.patch
+++ b/CVE-2024-47561.patch
@ -0,0 +1,115 @@
+From 8f89868d29272e3afea2ff8de8c85cb81a57d900 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?JB=20Onofr=C3=A9?= <jbonofre@apache.org>
+Date: Wed, 26 Jun 2024 15:16:40 +0200
+Subject: [PATCH] AVRO-3985: Add trusted packages support in SpecificData
+ (#2980)
+
+---
+ .../org/apache/avro/reflect/ReflectData.java  | 10 ----
+ .../avro/specific/SpecificDatumReader.java    | 47 ++++++++++++++++++-
+ 2 files changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
+index ec490979477..8cfbdb0529c 100644
+--- a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
+++ b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
+@@ -427,16 +427,6 @@ private FieldAccessor getFieldAccessor(Class<?> c, String fieldName) {
+     return null;
+   }
+ 
+-  /** @deprecated Replaced by {@link SpecificData#CLASS_PROP} */
+-  @Deprecated
+-  static final String CLASS_PROP = "java-class";
+-  /** @deprecated Replaced by {@link SpecificData#KEY_CLASS_PROP} */
+-  @Deprecated
+-  static final String KEY_CLASS_PROP = "java-key-class";
+-  /** @deprecated Replaced by {@link SpecificData#ELEMENT_PROP} */
+-  @Deprecated
+-  static final String ELEMENT_PROP = "java-element-class";
+-
+   private static final Map<String, Class> CLASS_CACHE = new ConcurrentHashMap<>();
+ 
+   static Class getClassProp(Schema schema, String prop) {
+diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
+index d924c8e04b7..8950f165991 100644
+--- a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
+++ b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
+@@ -24,12 +24,25 @@
+ import org.apache.avro.io.ResolvingDecoder;
+ import org.apache.avro.util.ClassUtils;
+ import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+ 
+ /**
+  * {@link org.apache.avro.io.DatumReader DatumReader} for generated Java
+  * classes.
+  */
+ public class SpecificDatumReader<T> extends GenericDatumReader<T> {
+
+  public static final String[] SERIALIZABLE_PACKAGES;
+
+  static {
+    SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
+        "java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
+  }
+
+  private final List<String> trustedPackages = new ArrayList<>();
+
+   public SpecificDatumReader() {
+     this(null, null, SpecificData.get());
+   }
+@@ -55,6 +68,7 @@ public SpecificDatumReader(Schema writer, Schema reader) {
+    */
+   public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) {
+     super(writer, reader, data);
+    trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
+   }
+ 
+   /** Construct given a {@link SpecificData}. */
+@@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String prop) {
+     if (name == null)
+       return null;
+     try {
+-      return ClassUtils.forName(getData().getClassLoader(), name);
+      Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
+      checkSecurity(clazz);
+      return clazz;
+     } catch (ClassNotFoundException e) {
+       throw new AvroRuntimeException(e);
+     }
+   }
+ 
+  private boolean trustAllPackages() {
+    return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0)));
+  }
+
+  private void checkSecurity(Class clazz) throws ClassNotFoundException {
+    if (trustAllPackages() || clazz.isPrimitive()) {
+      return;
+    }
+
+    boolean found = false;
+    Package thePackage = clazz.getPackage();
+    if (thePackage != null) {
+      for (String trustedPackage : getTrustedPackages()) {
+        if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
+          found = true;
+          break;
+        }
+      }
+      if (!found) {
+        throw new SecurityException("Forbidden " + clazz
+            + "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust.");
+      }
+    }
+  }
+
+  public final List<String> getTrustedPackages() {
+    return trustedPackages;
+  }
+
+   @Override
+   protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException {
+     SpecificData data = getSpecificData();
--- a/avro.spec
+++ b/avro.spec
@ -3,7 +3,7 @@

 Name:             avro
 Version:          1.10.2
-Release:          5
+Release:          6
 Summary:          Data serialization system
 License:          Apache-2.0
 URL:              http://avro.apache.org
@ -13,6 +13,7 @@ Source0:          https://github.com/apache/avro/archive/refs/tags/release-1.10.
 Source1:          xmvn-reactor
 Patch3000:        CVE-2021-43045.patch
 Patch3001:        CVE-2023-39410.patch
+Patch3002:        CVE-2024-47561.patch

 ExclusiveArch:	  aarch64 x86_64

@ -111,6 +112,9 @@ install -m 0755 lang/java/tools/target/avro-tools-1.10.2-nodeps.jar %{buildroot}
 %{_datadir}/java/avro/avro-tools-nodeps.jar

 %changelog
+* Thu Oct 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.10.2-6
+- Fix CVE-2024-47561
+
 * Tue Jul 02 2024 wangkai <13474090681@163.com> - 1.10.2-5
 - Fix CVE-2023-39410