From dcecda1d2b3d0c0c8607332912a7901398df2b8e Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Mon, 11 Nov 2024 17:07:55 +0100
Subject: [PATCH 1/2] fix(hive): CVE-2023-34455
---
CHANGELOG.md | 2 ++
.../patches/4.0.0/04-exclude-snappy.patch | 27 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 hive/stackable/patches/4.0.0/04-exclude-snappy.patch
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 524c0ba92..fb34069bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file.
- spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency.
Spark 3.5.2 is not affected. ([#921])
- trino: Correctly report Trino version ([#881]).
+- hive: Fix CVE-2023-34455 in Hive 4.0.0 by excluding snappy-java from the build ([#929])
[#783]: https://github.com/stackabletech/docker-images/pull/783
[#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -111,6 +112,7 @@ All notable changes to this project will be documented in this file.
[#919]: https://github.com/stackabletech/docker-images/pull/919
[#920]: https://github.com/stackabletech/docker-images/pull/920
[#921]: https://github.com/stackabletech/docker-images/pull/921
+[#929]: https://github.com/stackabletech/docker-images/pull/929
## [24.7.0] - 2024-07-24
diff --git a/hive/stackable/patches/4.0.0/04-exclude-snappy.patch b/hive/stackable/patches/4.0.0/04-exclude-snappy.patch
new file mode 100644
index 000000000..9fc70376f
--- /dev/null
+++ b/hive/stackable/patches/4.0.0/04-exclude-snappy.patch
@@ -0,0 +1,27 @@
+Fix CVE-2023-34455
+see https://github.com/stackabletech/vulnerabilities/issues/558
+and https://github.com/stackabletech/vulnerabilities/issues/862
+
+Exclude snappy-java 1.1.8 from the standalone-metastore artifact
+and use the version shipped with the Hadoop binaries patched by
+Stackable with https://github.com/stackabletech/docker-images/blob/main/hadoop/stackable/patches/3.3.6/007-snappy-cves-3.3.6.patch
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 2982a45ca0..1c4f2ddbf4 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -204,6 +204,14 @@
+ hadoop-common
+ ${hadoop.version}
+
++
++
++ org.xerial.snappy
++ snappy-java
++
+
+ org.apache.zookeeper
+ zookeeper
From 76748cb243b4acf66ad39fa707c3cb92098ef651 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Tue, 12 Nov 2024 14:00:01 +0100
Subject: [PATCH 2/2] Update patch list after main merge
---
...de-snappy.patch => 05-CVE-2023-34455-exclude-snappy.patch} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename hive/stackable/patches/4.0.0/{04-exclude-snappy.patch => 05-CVE-2023-34455-exclude-snappy.patch} (95%)
diff --git a/hive/stackable/patches/4.0.0/04-exclude-snappy.patch b/hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
similarity index 95%
rename from hive/stackable/patches/4.0.0/04-exclude-snappy.patch
rename to hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
index 9fc70376f..680098a2a 100644
--- a/hive/stackable/patches/4.0.0/04-exclude-snappy.patch
+++ b/hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
@@ -7,10 +7,10 @@ and use the version shipped with the Hadoop binaries patched by
Stackable with https://github.com/stackabletech/docker-images/blob/main/hadoop/stackable/patches/3.3.6/007-snappy-cves-3.3.6.patch
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
-index 2982a45ca0..1c4f2ddbf4 100644
+index cd34884e3b..9bcbdfe7f7 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
-@@ -204,6 +204,14 @@
+@@ -210,6 +210,14 @@
hadoop-common
${hadoop.version}