!62 fix CVE-2024-23945

From: @changtao615 Reviewed-by: @wenwj0 Signed-off-by: @wenwj0
2025-01-01 13:16:44 +00:00 · 2025-01-01 13:16:44 +00:00 · 1972bf73fe
commit 1972bf73fe
parent 1b6cec81e9 5e4d455ec1
2 changed files with 60 additions and 1 deletions
--- a/backport-CVE-2024-23945.patch
+++ b/backport-CVE-2024-23945.patch
@ -0,0 +1,51 @@
+From cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Mon Sep 17 00:00:00 2001
+From: Sean Owen <srowen@gmail.com>
+Date: Tue, 17 Oct 2023 16:10:56 -0700
+Subject: [PATCH] [MINOR][SQL] Remove signature from Hive thriftserver
+ exception
+
+### What changes were proposed in this pull request?
+
+Don't return expected signature to caller in Hive thriftserver exception
+
+### Why are the changes needed?
+
+Please see private discussion
+
+### Does this PR introduce _any_ user-facing change?
+
+No
+
+### How was this patch tested?
+
+Existing tests
+
+### Was this patch authored or co-authored using generative AI tooling?
+
+No
+
+Closes #43402 from srowen/HiveCookieSigner.
+
+Authored-by: Sean Owen <srowen@gmail.com>
+Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
+---
+ .../src/main/java/org/apache/hive/service/CookieSigner.java    | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+index 782e47a6..4b8d2cb1 100644
+--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+@@ -81,8 +81,7 @@ public class CookieSigner {
+       LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature);
+     }
+     if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
+-      throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
+-        " current = " + currentSignature);
+      throw new IllegalArgumentException("Invalid sign");
+     }
+     return rawValue;
+   }
+-- 
+2.43.0
+
--- a/spark.spec
+++ b/spark.spec
@ -4,7 +4,7 @@
 Summary: A unified analytics engine for large-scale data processing.
 Name: spark
 Version: 3.5.0
-Release: 3
+Release: 4
 License: Apache 2.0
 URL: http://spark.apache.org/
 Source0: https://github.com/apache/spark/archive/v%{version}.tar.gz
@ -16,6 +16,7 @@ Source5: https://github.com/google/protobuf/releases/download/v21.7/protobuf-all
 Source6: https://github.com/grpc/grpc-java/archive/refs/tags/v1.56.0.tar.gz
 Patch0001: 0001-change-mvn-scalafmt.patch
 Patch0002: 0002-Upgrade-os-maven-plugin-to-1.7.1.patch
+Patch0003: backport-CVE-2024-23945.patch

 %ifarch riscv64
 BuildRequires:  protobuf-devel protobuf-compiler
@ -76,6 +77,7 @@ popd

 %patch0001 -p1
 %patch0002 -p1
+%patch0003 -p1

 %ifarch riscv64
 sed -i -e 's/protoVersion = "3.23.4/protoVersion = "'${PROTOC_VERSION}/'' project/SparkBuild.scala
@ -97,6 +99,12 @@ cp -rf ../%{name}-%{version} %{buildroot}/opt/apache-%{name}-%{version}


 %changelog
+* Thu Dec 26 2024 changtao <changtao@kylinos.cn> - 3.5.0-4
+- Type: CVE
+- CVE: CVE-2024-23945
+- SUG: NA
+- DESC: fix CVE-2024-23945
+
 * Mon Jul 1 2024 Dingli Zhang <dingli@iscas.ac.cn> - 3.5.0-3
 - Add riscv64 to ExclusiveArch
 - Fix build on riscv64