From 346d22edfce71497487911e8651f162a2d70bf84 Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Fri, 19 Feb 2021 18:16:18 +0800
Subject: [PATCH] fix CVE-2020-8908

---
 CVE-2020-8908.patch | 79 +++++++++++++++++++++++++++++++++++++++++++++
 guava.spec          |  6 +++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-8908.patch

diff --git a/CVE-2020-8908.patch b/CVE-2020-8908.patch
new file mode 100644
index 0000000..75b3722
--- /dev/null
+++ b/CVE-2020-8908.patch
@@ -0,0 +1,79 @@
+From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001
+From: glorioso <glorioso@google.com>
+Date: Wed, 26 Aug 2020 10:02:56 -0700
+Subject: [PATCH] Deprecate Files.createTempDir(), noting that better
+ alternatives exist for Android as well as for users running Java 7 or later.
+
+RELNOTES=`io`: Deprecated `Files.createTempDir()`.
+
+-------------
+Created by MOE: https://github.com/google/moe
+MOE_MIGRATED_REVID=328552787
+---
+ android/guava/src/com/google/common/io/Files.java | 12 ++++++++++++
+ guava/src/com/google/common/io/Files.java| 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/android/guava/src/com/google/common/io/Files.java b/android/guava/src/com/google/common/io/Files.java
+index a23cd96b39..34de31eff5 100644
+--- a/android/guava/src/com/google/common/io/Files.java
++++ b/android/guava/src/com/google/common/io/Files.java
+@@ -386,6 +386,11 @@ public final class Files {
+    * be exploited to create security vulnerabilities, especially when executable files are to be
+    * written into the directory.
+    *
++   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
++   * thus the directory this method creates) may be more visible that a program would like - files
++   * written to this directory may be read or overwritten by hostile programs running on the same
++   * machine.
++   *
+    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
+    * and that it will not be called thousands of times per second.
+    *
+@@ -394,7 +399,14 @@ public final class Files {
+    *
+    * @return the newly-created directory
+    * @throws IllegalStateException if the directory could not be created
++   * @deprecated For Android users, see the <a
++   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
++   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
++   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
++   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
++   *     java.nio.file.Path#toFile() toFile()} if needed.
+    */
++  @Deprecated
+   public static File createTempDir() {
+     File baseDir = new File(System.getProperty("java.io.tmpdir"));
+     String baseName = System.currentTimeMillis() + "-";
+diff --git a/guava/src/com/google/common/io/Files.java
+b/guava/src/com/google/common/io/Files.java
+index a23cd96b39..34de31eff5 100644
+--- a/guava/src/com/google/common/io/Files.java
++++ b/guava/src/com/google/common/io/Files.java
+@@ -386,6 +386,11 @@ public final class Files {
+    * be exploited to create security vulnerabilities, especially when executable files are to be
+    * written into the directory.
+    *
++   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
++   * thus the directory this method creates) may be more visible that a program would like - files
++   * written to this directory may be read or overwritten by hostile programs running on the same
++   * machine.
++   *
+    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
+    * and that it will not be called thousands of times per second.
+    *
+@@ -394,7 +399,14 @@ public final class Files {
+    *
+    * @return the newly-created directory
+    * @throws IllegalStateException if the directory could not be created
++   * @deprecated For Android users, see the <a
++   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
++   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
++   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
++   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
++   *     java.nio.file.Path#toFile() toFile()} if needed.
+    */
++  @Deprecated
+   public static File createTempDir() {
+     File baseDir = new File(System.getProperty("java.io.tmpdir"));
+     String baseName = System.currentTimeMillis() + "-";
diff --git a/guava.spec b/guava.spec
index 3a789a2..d8a16ea 100644
--- a/guava.spec
+++ b/guava.spec
@@ -1,12 +1,13 @@
 Name:           guava
 Version:        25.0
-Release:        4
+Release:        5
 Summary:        Google Core Libraries for Java
 License:        ASL 2.0 and CC0
 URL:            https://github.com/google/guava
 BuildArch:      noarch
 
 Source0:        https://github.com/google/guava/archive/v%{version}.tar.gz
+Patch0000:      CVE-2020-8908.patch
 
 BuildRequires:  maven-local mvn(com.google.code.findbugs:jsr305) mvn(junit:junit)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin) mvn(org.sonatype.oss:oss-parent:pom:)
@@ -86,5 +87,8 @@ find -name '*.java' | xargs sed -ri \
 %files testlib -f .mfiles-guava-testlib
 
 %changelog
+* Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> - 25.0-5
+- Fix CVE-2020-8908
+
 * Fri Mar 6 2020 dingyiming <dingyiming3@huawei.com> - 25.0-4
 - Package init