packages/guava
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-8908

Browse Source
This commit is contained in:
wangxiao65 2021-02-19 18:16:18 +08:00
parent 7022527076
commit 346d22edfc
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
CVE-2020-8908.patch Normal file
View File

@ -0,0 +1,79 @@
From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001
From: glorioso <glorioso@google.com>
Date: Wed, 26 Aug 2020 10:02:56 -0700
Subject: [PATCH] Deprecate Files.createTempDir(), noting that better
alternatives exist for Android as well as for users running Java 7 or later.
RELNOTES=`io`: Deprecated `Files.createTempDir()`.
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=328552787
---
android/guava/src/com/google/common/io/Files.java | 12 ++++++++++++
guava/src/com/google/common/io/Files.java| 12 ++++++++++++
2 files changed, 24 insertions(+)
diff --git a/android/guava/src/com/google/common/io/Files.java b/android/guava/src/com/google/common/io/Files.java
index a23cd96b39..34de31eff5 100644
--- a/android/guava/src/com/google/common/io/Files.java
+++ b/android/guava/src/com/google/common/io/Files.java
@@ -386,6 +386,11 @@ public final class Files {
* be exploited to create security vulnerabilities, especially when executable files are to be
* written into the directory.
*
+ * <p>Depending on the environmment that this code is run in, the system temporary directory (and
+ * thus the directory this method creates) may be more visible that a program would like - files
+ * written to this directory may be read or overwritten by hostile programs running on the same
+ * machine.
+ *
* <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
* and that it will not be called thousands of times per second.
*
@@ -394,7 +399,14 @@ public final class Files {
*
* @return the newly-created directory
* @throws IllegalStateException if the directory could not be created
+ * @deprecated For Android users, see the <a
+ * href="https://developer.android.com/training/data-storage" target="_blank">Data and File
+ * Storage overview</a> to select an appropriate temporary directory (perhaps {@code
+ * context.getCacheDir()}). For developers on Java 7 or later, use {@link
+ * java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
+ * java.nio.file.Path#toFile() toFile()} if needed.
*/
+ @Deprecated
public static File createTempDir() {
File baseDir = new File(System.getProperty("java.io.tmpdir"));
String baseName = System.currentTimeMillis() + "-";
diff --git a/guava/src/com/google/common/io/Files.java
b/guava/src/com/google/common/io/Files.java
index a23cd96b39..34de31eff5 100644
--- a/guava/src/com/google/common/io/Files.java
+++ b/guava/src/com/google/common/io/Files.java
@@ -386,6 +386,11 @@ public final class Files {
* be exploited to create security vulnerabilities, especially when executable files are to be
* written into the directory.
*
+ * <p>Depending on the environmment that this code is run in, the system temporary directory (and
+ * thus the directory this method creates) may be more visible that a program would like - files
+ * written to this directory may be read or overwritten by hostile programs running on the same
+ * machine.
+ *
* <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
* and that it will not be called thousands of times per second.
*
@@ -394,7 +399,14 @@ public final class Files {
*
* @return the newly-created directory
* @throws IllegalStateException if the directory could not be created
+ * @deprecated For Android users, see the <a
+ * href="https://developer.android.com/training/data-storage" target="_blank">Data and File
+ * Storage overview</a> to select an appropriate temporary directory (perhaps {@code
+ * context.getCacheDir()}). For developers on Java 7 or later, use {@link
+ * java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
+ * java.nio.file.Path#toFile() toFile()} if needed.
*/
+ @Deprecated
public static File createTempDir() {
File baseDir = new File(System.getProperty("java.io.tmpdir"));
String baseName = System.currentTimeMillis() + "-";

6
guava.spec
View File

@ -1,12 +1,13 @@
Name: guava Name: guava
Version: 25.0 Version: 25.0
Release: 4 Release: 5
Summary: Google Core Libraries for Java Summary: Google Core Libraries for Java
License: ASL 2.0 and CC0 License: ASL 2.0 and CC0
URL: https://github.com/google/guava URL: https://github.com/google/guava
BuildArch: noarch BuildArch: noarch
Source0: https://github.com/google/guava/archive/v%{version}.tar.gz Source0: https://github.com/google/guava/archive/v%{version}.tar.gz
Patch0000: CVE-2020-8908.patch
BuildRequires: maven-local mvn(com.google.code.findbugs:jsr305) mvn(junit:junit) BuildRequires: maven-local mvn(com.google.code.findbugs:jsr305) mvn(junit:junit)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.sonatype.oss:oss-parent:pom:) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.sonatype.oss:oss-parent:pom:)
@ -86,5 +87,8 @@ find -name '*.java' | xargs sed -ri \
%files testlib -f .mfiles-guava-testlib %files testlib -f .mfiles-guava-testlib
%changelog %changelog
* Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> - 25.0-5
- Fix CVE-2020-8908
* Fri Mar 6 2020 dingyiming <dingyiming3@huawei.com> - 25.0-4 * Fri Mar 6 2020 dingyiming <dingyiming3@huawei.com> - 25.0-4
- Package init - Package init