fix CVE-2024-23454

(cherry picked from commit 5f71de6462d2cef77e39a119b57c7691cf0cc0f2)

0003-Enhance-access-control-for-RunJar.patch

@@ -0,0 +1,58 @@
+From 7c30e7ffb65f9a58a85b3b556f8c0de04c1b4b20 Mon Sep 17 00:00:00 2001
+From: He Xiaoqiao <hexiaoqiao@apache.org>
+Date: Mon, 15 Jan 2024 16:01:08 +0800
+Subject: [PATCH] HADOOP-19031. Enhance access control for RunJar.
+
+---
+ .../java/org/apache/hadoop/util/RunJar.java     | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+index 239d464..20c2d13 100644
+--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
++++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
+@@ -28,10 +28,15 @@ import java.lang.reflect.Method;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.net.URLClassLoader;
++import java.nio.file.Files;
++import java.nio.file.attribute.FileAttribute;
++import java.nio.file.attribute.PosixFilePermission;
++import java.nio.file.attribute.PosixFilePermissions;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Enumeration;
+ import java.util.List;
++import java.util.Set;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+ import java.util.jar.JarInputStream;
+@@ -278,20 +283,18 @@ public class RunJar {
+ 
+     final File workDir;
+     try {
+-      workDir = File.createTempFile("hadoop-unjar", "", tmpDir);
+-    } catch (IOException ioe) {
++      FileAttribute<Set<PosixFilePermission>> perms = PosixFilePermissions
++          .asFileAttribute(PosixFilePermissions.fromString("rwx------"));
++      workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile();
++    } catch (IOException | SecurityException e) {
+       // If user has insufficient perms to write to tmpDir, default
+       // "Permission denied" message doesn't specify a filename.
+       System.err.println("Error creating temp dir in java.io.tmpdir "
+-                         + tmpDir + " due to " + ioe.getMessage());
++                         + tmpDir + " due to " + e.getMessage());
+       System.exit(-1);
+       return;
+     }
+ 
+-    if (!workDir.delete()) {
+-      System.err.println("Delete failed for " + workDir);
+-      System.exit(-1);
+-    }
+     ensureDirectory(workDir);
+ 
+     ShutdownHookManager.get().addShutdownHook(
+-- 
+2.43.0
+

hadoop-3.1.spec

@@ -12,11 +12,11 @@
 %define _binaries_in_noarch_packages_terminate_build 0
 Name:   hadoop-3.1
 Version: 3.1.4
-Release: 4
+Release: 5
 Summary: A software platform for processing vast amounts of data
 # The BSD license file is missing
 # https://issues.apache.org/jira/browse/HADOOP-9849
-License: Apache-2.0 and MIT and BSD-2-Clause and EPL and Zlib and MPL-2.0
+License: Apache-2.0 and BSD and Zlib and BSL-1.0 and MPL-2.0 and EPL-1.0 and MIT
 URL:     https://%{real_name}.apache.org
 Source0: https://www.apache.org/dist/%{real_name}/core/%{real_name}-%{version}/%{real_name}-%{version}-src.tar.gz
 Source1: %{real_name}-layout.sh
@@ -35,7 +35,7 @@ Source13: %{real_name}-yarn-site.xml
 
 Patch1: 0001-sys_errlist-undeclared.patch
 Patch2: 0002-bugfix-invalid-variable-name.patch
-
+Patch3: 0003-Enhance-access-control-for-RunJar.patch
 
 BuildRoot: %{_tmppath}/%{real_name}-%{version}-%{release}-root
 BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel 
@@ -1113,6 +1113,9 @@ fi
 %config(noreplace) %{_sysconfdir}/%{real_name}/container-executor.cfg
 
 %changelog
+* Tue Oct 22 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 3.1.4-5
+- fix CVE-2024-23454
+
 * Mon Jul 12 2021 lingsheng <lingsheng@huawei.com> - 3.1.4-4
 - Fix stop service failure