Upgrade libthrift to 0.14.1 due CVE-2020-13949

prestodb · Jan 30, 2025 · fd7554f · fd7554f
1 parent 08fe81c
commit fd7554f
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -1445,7 +1445,7 @@
             <dependency>
                 <groupId>org.apache.thrift</groupId>
                 <artifactId>libthrift</artifactId>
-                <version>0.9.3</version>
+                <version>0.14.1</version>
                 <exclusions>
                     <exclusion>
                         <groupId>org.apache.httpcomponents</groupId>
@@ -1455,6 +1455,10 @@
                         <groupId>org.apache.httpcomponents</groupId>
                         <artifactId>httpclient</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.tomcat.embed</groupId>
+                        <artifactId>tomcat-embed-core</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
 

diff --git a/presto-accumulo/pom.xml b/presto-accumulo/pom.xml
@@ -19,6 +19,17 @@
         <dep.reload4j.version>1.2.18.3</dep.reload4j.version>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.thrift</groupId>
+                <artifactId>libthrift</artifactId>
+                <!-- libthrift >= 0.14.1 not compatible with accumulo-minicluster 1.x -->
+                <version>0.9.3</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.accumulo</groupId>

diff --git a/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java b/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@@ -15,6 +15,7 @@
 
 import com.facebook.presto.hive.authentication.HiveMetastoreAuthentication;
 import com.google.common.net.HostAndPort;
+import org.apache.thrift.TConfiguration;
 import org.apache.thrift.transport.TSocket;
 import org.apache.thrift.transport.TTransport;
 import org.apache.thrift.transport.TTransportException;
@@ -217,5 +218,24 @@ public void flush()
                 throw rewriteException(e, address);
             }
         }
+
+        // Methods added in libthrift 0.14.0 and not present in Hive Metastore <= 3.1.2
+        @Override
+        public TConfiguration getConfiguration()
+        {
+            return TConfiguration.DEFAULT;
+        }
+
+        @Override
+        public void updateKnownMessageSize(long size)
+                throws TTransportException
+        {
+        }
+
+        @Override
+        public void checkReadBytesAvailable(long numBytes)
+                throws TTransportException
+        {
+        }
     }
 }
diff --git a/...ain/java/com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.java b/...ain/java/com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.java
@@ -24,6 +24,7 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.thrift.transport.TSaslClientTransport;
 import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
 
 import javax.inject.Inject;
 import javax.security.auth.callback.Callback;
@@ -98,6 +99,9 @@ private TTransport authenticateWithToken(TTransport rawTransport, String tokenSt
         catch (IOException ex) {
             throw new UncheckedIOException(ex);
         }
+        catch (TTransportException e) {
+            throw new RuntimeException(e);
+        }
     }
 
     private static class SaslClientCallbackHandler
@@ -175,5 +179,8 @@ private TTransport authenticateWithHost(TTransport rawTransport, String hiveMeta
         catch (IOException e) {
             throw new UncheckedIOException(e);
         }
+        catch (TTransportException e) {
+            throw new RuntimeException(e);
+        }
     }
 }