fix CVE-2024-23945

2024-12-15 15:10:56 +08:00 · 2024-12-15 15:10:56 +08:00 · ed4d034b81
commit ed4d034b81
parent 87eb192e47
2 changed files with 60 additions and 1 deletions
--- a/backport-CVE-2024-23945.patch
+++ b/backport-CVE-2024-23945.patch
@ -0,0 +1,51 @@
+From cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Mon Sep 17 00:00:00 2001
+From: Sean Owen <srowen@gmail.com>
+Date: Tue, 17 Oct 2023 16:10:56 -0700
+Subject: [PATCH] [MINOR][SQL] Remove signature from Hive thriftserver
+ exception
+
+### What changes were proposed in this pull request?
+
+Don't return expected signature to caller in Hive thriftserver exception
+
+### Why are the changes needed?
+
+Please see private discussion
+
+### Does this PR introduce _any_ user-facing change?
+
+No
+
+### How was this patch tested?
+
+Existing tests
+
+### Was this patch authored or co-authored using generative AI tooling?
+
+No
+
+Closes #43402 from srowen/HiveCookieSigner.
+
+Authored-by: Sean Owen <srowen@gmail.com>
+Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
+---
+ .../src/main/java/org/apache/hive/service/CookieSigner.java    | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+index 782e47a..4b8d2cb 100644
+--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java
+@@ -81,8 +81,7 @@ public class CookieSigner {
+       LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature);
+     }
+     if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
+-      throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
+-        " current = " + currentSignature);
+      throw new IllegalArgumentException("Invalid sign");
+     }
+     return rawValue;
+   }
+-- 
+2.43.0
+
--- a/spark.spec
+++ b/spark.spec
@ -4,12 +4,13 @@
 Summary: A unified analytics engine for large-scale data processing.
 Name: spark
 Version: 3.2.2
-Release: 1
+Release: 2
 License: Apache 2.0
 URL: http://spark.apache.org/
 Source0: https://github.com/apache/spark/archive/v%{version}.tar.gz

 Patch0001: 0001-change-mvn-scalafmt.patch
+Patch0002: backport-CVE-2024-23945.patch

 BuildRequires: java-1.8.0-openjdk-devel
 BuildRequires: maven
@ -25,6 +26,7 @@ Apache Spark achieves high performance for both batch and streaming data, using
 %setup -q

 %patch0001 -p1
+%patch0002 -p1

 %build
 mvn -DskipTests -Dmaven.test.skip=true clean package 
@ -38,6 +40,12 @@ cp -rf ../%{name}-%{version} %{buildroot}/opt/apache-%{name}-%{version}


 %changelog
+* Thu Dec 26 2024 changtao <changtao@kylinos.cn> - 3.2.2-2
+- Type: CVE
+- CVE: CVE-2024-23945
+- SUG: NA
+- DESC: fix CVE-2024-23945
+
 * Wed Aug 10 2022 xiexing <xiexing4@hisilicon.com> - 3.2.2-1
 - update spark version