fix CVE-2024-23454

04-Enhance-access-control-for-RunJar.patch

@@ -0,0 +1,57 @@
+From 7c30e7ffb65f9a58a85b3b556f8c0de04c1b4b20 Mon Sep 17 00:00:00 2001
+From: He Xiaoqiao <hexiaoqiao@apache.org>
+Date: Mon, 15 Jan 2024 16:01:08 +0800
+Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar.
+
+---
+ .../main/java/org/apache/hadoop/util/RunJar.java | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+index c28e69f5..e527f602 100644
+--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+@@ -28,10 +28,14 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.net.URLClassLoader;
+ import java.nio.file.Files;
++import java.nio.file.attribute.FileAttribute;
++import java.nio.file.attribute.PosixFilePermission;
++import java.nio.file.attribute.PosixFilePermissions;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Enumeration;
+ import java.util.List;
++import java.util.Set;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+ import java.util.jar.JarInputStream;
+@@ -287,20 +291,18 @@ public class RunJar {
+ 
+     final File workDir;
+     try {
+-      workDir = File.createTempFile("hadoop-unjar", "", tmpDir);
+-    } catch (IOException ioe) {
++      FileAttribute<Set<PosixFilePermission>> perms = PosixFilePermissions
++          .asFileAttribute(PosixFilePermissions.fromString("rwx------"));
++      workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile();
++    } catch (IOException | SecurityException e) {
+       // If user has insufficient perms to write to tmpDir, default
+       // "Permission denied" message doesn't specify a filename.
+       System.err.println("Error creating temp dir in java.io.tmpdir "
+-                         + tmpDir + " due to " + ioe.getMessage());
++                         + tmpDir + " due to " + e.getMessage());
+       System.exit(-1);
+       return;
+     }
+ 
+-    if (!workDir.delete()) {
+-      System.err.println("Delete failed for " + workDir);
+-      System.exit(-1);
+-    }
+     ensureDirectory(workDir);
+ 
+     ShutdownHookManager.get().addShutdownHook(
+-- 
+2.43.0
+

hadoop.spec

@@ -11,7 +11,7 @@
 %define _binaries_in_noarch_packages_terminate_build 0
 Name:   hadoop
 Version: 3.3.6
-Release: 3
+Release: 4
 Summary: A software platform for processing vast amounts of data
 # The BSD license file is missing
 # https://issues.apache.org/jira/browse/HADOOP-9849
@@ -40,6 +40,7 @@ Source18: protoc-gen-grpc-java-1.26.0-linux-riscv_64.exe
 Patch0: 01-lock-triple-beam-version-to-1.3.0.patch
 Patch1: 02-Upgrade-os-maven-plugin-to-1.7.1.patch
 Patch2: 03-Fix-build-on-riscv.patch
+Patch3: 04-Enhance-access-control-for-RunJar.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel
@@ -1159,6 +1160,9 @@ fi
 %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg
 
 %changelog
+* Thu Sep 26 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 3.3.6-4
+- fix CVE-2024-23454
+
 * Sun May 12 2024 Dingli Zhang <dingli@iscas.ac.cn> - 3.3.6-3
 - Fix build on riscv64
 - Upgrade os-maven-plugin to 1.7.1