fix CVE-2024-23454

(cherry picked from commit 11d1878c74cf8771a2e4051e8bf3989bcef4ff8b)

0006-Enhance-access-control-for-RunJar.patch

@@ -0,0 +1,58 @@
+From 7c30e7ffb65f9a58a85b3b556f8c0de04c1b4b20 Mon Sep 17 00:00:00 2001
+From: He Xiaoqiao <hexiaoqiao@apache.org>
+Date: Mon, 15 Jan 2024 16:01:08 +0800
+Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar.
+
+---
+ .../java/org/apache/hadoop/util/RunJar.java     | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+index 239d464..20c2d13 100644
+--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+@@ -28,10 +28,15 @@ import java.lang.reflect.Method;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.net.URLClassLoader;
++import java.nio.file.Files;
++import java.nio.file.attribute.FileAttribute;
++import java.nio.file.attribute.PosixFilePermission;
++import java.nio.file.attribute.PosixFilePermissions;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Enumeration;
+ import java.util.List;
++import java.util.Set;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+ import java.util.jar.JarInputStream;
+@@ -278,20 +283,18 @@ public class RunJar {
+ 
+     final File workDir;
+     try {
+-      workDir = File.createTempFile("hadoop-unjar", "", tmpDir);
+-    } catch (IOException ioe) {
++      FileAttribute<Set<PosixFilePermission>> perms = PosixFilePermissions
++          .asFileAttribute(PosixFilePermissions.fromString("rwx------"));
++      workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile();
++    } catch (IOException | SecurityException e) {
+       // If user has insufficient perms to write to tmpDir, default
+       // "Permission denied" message doesn't specify a filename.
+       System.err.println("Error creating temp dir in java.io.tmpdir "
+-                         + tmpDir + " due to " + ioe.getMessage());
++                         + tmpDir + " due to " + e.getMessage());
+       System.exit(-1);
+       return;
+     }
+ 
+-    if (!workDir.delete()) {
+-      System.err.println("Delete failed for " + workDir);
+-      System.exit(-1);
+-    }
+     ensureDirectory(workDir);
+ 
+     ShutdownHookManager.get().addShutdownHook(
+-- 
+2.43.0
+

hadoop-3.1.spec

@@ -12,7 +12,7 @@
 %define _binaries_in_noarch_packages_terminate_build 0
 Name:   hadoop-3.1
 Version: 3.1.4
-Release: 8
+Release: 9
 Summary: A software platform for processing vast amounts of data
 # The BSD license file is missing
 # https://issues.apache.org/jira/browse/HADOOP-9849
@@ -38,7 +38,7 @@ Patch2: 0002-bugfix-invalid-variable-name.patch
 Patch3: 0003-compatible-with-gcc12.patch
 Patch4: 0004-fix_build_issue_on_riscv.patch
 Patch5: 0005-upgrade_os-maven_plugin_to_1.7.1.patch
-
+Patch6: 0006-Enhance-access-control-for-RunJar.patch
 
 BuildRoot: %{_tmppath}/%{real_name}-%{version}-%{release}-root
 BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel 
@@ -1130,6 +1130,9 @@ fi
 %config(noreplace) %{_sysconfdir}/%{real_name}/container-executor.cfg
 
 %changelog
+* Mon Oct 14 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 3.1.4-9
+- fix CVE-2024-23454
+
 * Sun May 12 2024 Dingli Zhang <dingli@iscas.ac.cn> - 3.1.4-8
 - Fix build on riscv64
 - Upgrade os-maven-plugin to 1.7.1