packages/flume
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-34916

Browse Source
This commit is contained in:
yinyongkang 2022-08-22 16:30:53 +08:00
parent 51d772c6c2
commit 46b49822eb
2 changed files with 111 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
backport-CVE-2022-34916.patch Normal file
View File

@ -0,0 +1,101 @@
From 547bab53e4956653fbea32d1b88af5dc3b582db4 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 22 Aug 2022 16:05:52 +0800
Subject: [PATCH] FLUME-3428 - Validate the parameter
author Ralph Goers <rgoers@apache.org>
Sat, 30 Jul 2022 16:16:17 +0800 (01:16 -0700)
committer Ralph Goers <rgoers@apache.org>
Sat, 30 Jul 2022 16:16:17 +0800 (01:16 -0700)
---
.../flume/source/jms/JMSMessageConsumer.java | 15 +++++++++++++++
.../source/jms/JMSMessageConsumerTestBase.java | 8 +++++++-
.../flume/source/jms/TestJMSMessageConsumer.java | 6 ++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java b/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java
index 645cbcc..5375bd0 100644
--- a/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java
+++ b/flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSMessageConsumer.java
@@ -35,11 +35,14 @@ import javax.jms.Session;
import javax.jms.Topic;
import javax.naming.InitialContext;
import javax.naming.NamingException;
+import java.net.URI;
+import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.List;
class JMSMessageConsumer {
private static final Logger logger = LoggerFactory.getLogger(JMSMessageConsumer.class);
+ private static final String JAVA_SCHEME = "java";
private final int batchSize;
private final long pollTimeout;
@@ -99,6 +102,14 @@ class JMSMessageConsumer {
throw new IllegalStateException(String.valueOf(destinationType));
}
} else {
+ try {
+ URI uri = new URI(destinationName);
+ String scheme = uri.getScheme();
+ assertTrue(scheme == null || scheme.equals(JAVA_SCHEME),
+ "Unsupported JNDI URI: " + destinationName);
+ } catch (URISyntaxException ex) {
+ logger.warn("Invalid JNDI URI - {}", destinationName);
+ }
destination = (Destination) initialContext.lookup(destinationName);
}
} catch (JMSException e) {
@@ -209,4 +220,8 @@ class JMSMessageConsumer {
logger.error("Could not destroy connection", e);
}
}
+
+ private void assertTrue(boolean arg, String msg) {
+ Preconditions.checkArgument(arg, msg);
+ }
}
diff --git a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java
index b3bce78..aa96458 100644
--- a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java
+++ b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/JMSMessageConsumerTestBase.java
@@ -129,11 +129,17 @@ public abstract class JMSMessageConsumerTestBase {
}
}
- JMSMessageConsumer create() {
+ JMSMessageConsumer create(JMSDestinationType destinationType,
+ JMSDestinationLocator destinationLocator, String destinationName) {
return new JMSMessageConsumer(WONT_USE, connectionFactory, destinationName,
destinationLocator, destinationType, messageSelector, batchSize,
pollTimeout, converter, userName, password, Optional.<String>absent(), false, "");
}
+
+ JMSMessageConsumer create() {
+ return create(this.destinationType, this.destinationLocator, this.destinationName);
+ }
+
@After
public void tearDown() throws Exception {
beforeTearDown();
diff --git a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java
index e7c5f29..636ffc3 100644
--- a/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java
+++ b/flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSMessageConsumer.java
@@ -93,6 +93,12 @@ public class TestJMSMessageConsumer extends JMSMessageConsumerTestBase {
verify(connection).close();
}
}
+
+ @Test(expected = IllegalArgumentException.class)
+ public void testInvalidDestination() throws Exception {
+ create(null, JMSDestinationLocator.JNDI, "ldap://localhost:389/test");
+ }
+
@Test(expected = IllegalArgumentException.class)
public void testInvalidBatchSizeZero() throws Exception {
batchSize = 0;
--
2.33.0

12
flume.spec
View File

@ -1,6 +1,6 @@
Name: flume
Version: 1.10.0
Release: 1
Release: 2
Summary: Apache Flume is a distributed, reliable, and availble service for efficiently collecting, aggregating, and moving large amounts of log data.
License: Public Domain and MIT and Apache 2.0
@ -14,6 +14,8 @@ Source4: eigenbase-properties-1.1.4.jar
Source5: linq4j-0.4.jar
Source6: quidem-0.1.1.jar
Patch6000: backport-CVE-2022-34916.patch
BuildRequires: java-1.8.0-openjdk-devel maven xmvn xmvn-install gradle-local maven-local
Requires: java-1.8.0-openjdk
@ -28,7 +30,7 @@ allows for intelligent dynamic management. It uses a simple extensible data mode
for online analytic application.
%prep
%setup -q -n apache-flume-1.10.0-src
%autosetup -n apache-flume-1.10.0-src -p1
mvn install:install-file -DgroupId=ua_parser -DartifactId=ua-parser -Dversion=1.3.0 -Dpackaging=jar -Dfile=%{SOURCE1}
mvn install:install-file -DgroupId=org.pentaho -DartifactId=pentaho-aggdesigner-algorithm -Dversion=5.1.5-jhyde -Dpackaging=jar -Dfile=%{SOURCE2}
mvn install:install-file -DgroupId=eigenbase -DartifactId=eigenbase-properties -Dversion=1.1.4 -Dpackaging=jar -Dfile=%{SOURCE4}
@ -95,6 +97,12 @@ popd
%dir %{_javadir}/%{name}
%changelog
* Mon Aug 22 2022 yinyongkang <yinyongkang@kylinos.cn> - 1.10.0-2
- Type:CVE
- ID:CVE-2022-34916
- SUG:NA
- DESC:Fix CVE-2022-34916
* Wed Aug 3 2022 xiexing <xiexing4@hisilicon.com> - 1.10.0-1
- fix cve problem