Skip to content

Upgrade libthrift to 0.14.1 due CVE-2020-13949#24462

Merged
jaystarshot merged 1 commit intoprestodb:masterfrom
denodo-research-labs:cve2020_13949_libthrift
Feb 19, 2025
Merged

Upgrade libthrift to 0.14.1 due CVE-2020-13949#24462
jaystarshot merged 1 commit intoprestodb:masterfrom
denodo-research-labs:cve2020_13949_libthrift

Conversation

@denodo-research-labs
Copy link
Contributor

@denodo-research-labs denodo-research-labs commented Jan 30, 2025
edited
Loading

Description

Fix CVE-2018-1320, CVE-2019-0205, CVE-2019-0210 and CVE-2020-13949.

The version chosen is 0.14.1, although more recent versions exist, because it does not have CRITICAL and HIGH severity CVEs and has been tested in several scenarios with different versions of Hive Metastore.

Fix for #18026

Motivation and Context

The PR upgrades libthrift version to address known CVEs.

Exception made for Accumulo connector, since the version of Accumulo used is not compatible with newer versions of libthrift.

Impact

Dependency org.apache.thrift:libthrift:0.9.3 has four HIGH vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2018-1320
https://nvd.nist.gov/vuln/detail/CVE-2019-0205
https://nvd.nist.gov/vuln/detail/CVE-2019-0210
https://nvd.nist.gov/vuln/detail/CVE-2020-13949

Contributor checklist

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Upgrade libthrift to 0.14.1 in response to `CVE-2020-13949 <https://github.com/advisories/GHSA-g2fg-mr77-6vrm>`_

@denodo-research-labs denodo-research-labs requested a review from a team as a code owner January 30, 2025 10:40
czentgr
czentgr reviewed Jan 30, 2025
View reviewed changes
Copy link
Contributor

@czentgr czentgr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase.

Also, is there a plan to take a look at accumulo to see if thrift can be upgraded for that as well?

@denodo-research-labs
Copy link
Contributor Author

denodo-research-labs commented Jan 31, 2025

The community seems to have little interest in maintaining Accumulo, see #15837

imjalpreet
imjalpreet reviewed Feb 2, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@denodo-research-labs thanks for the fix! LGTM, just some nits.

@steveburnett
Copy link
Contributor

steveburnett commented Feb 3, 2025

New release note guidelines as of last week: PR #24354 automatically adds links to this PR to the release notes. Please remove the manual PR link in the following format from the release note entries for this PR.

:pr:`12345`

I have updated the Release Notes Guidelines to remove the examples of manually adding the PR link.

imjalpreet
imjalpreet previously approved these changes Feb 6, 2025
View reviewed changes
@tdcmeehan tdcmeehan self-assigned this Feb 6, 2025
jaystarshot
jaystarshot reviewed Feb 13, 2025
View reviewed changes
presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@Override
public void updateKnownMessageSize(long size)
throws TTransportException
{
Copy link
Member

@jaystarshot jaystarshot Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throw new UnsupportedOperationException("Not implemented");

Copy link
Member

@jaystarshot jaystarshot Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does transport not have these methods? (transport.updateKnownMessageSize)?

Copy link
Member

@jaystarshot jaystarshot Feb 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or just leave a noop comment if its noop

Copy link
Contributor Author

@denodo-research-labs denodo-research-labs Feb 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@Override
public void checkReadBytesAvailable(long numBytes)
throws TTransportException
{
Copy link
Member

@jaystarshot jaystarshot Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throw new UnsupportedOperationException("Not implemented");

Copy link
Contributor Author

@denodo-research-labs denodo-research-labs Feb 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added noop comment

@jaystarshot jaystarshot merged commit d6c5af6 into prestodb:master Feb 19, 2025
53 checks passed
This was referenced Mar 10, 2025
Closed
Closed
@prestodb-ci prestodb-ci mentioned this pull request Mar 28, 2025
Merged
30 tasks
@unidevel unidevel mentioned this pull request Apr 25, 2025
Closed
30 tasks
This was referenced May 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@czentgr czentgr czentgr left review comments

@jaystarshot jaystarshot jaystarshot approved these changes

@imjalpreet imjalpreet imjalpreet left review comments

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

Assignees

@tdcmeehan tdcmeehan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@denodo-research-labs @steveburnett @imjalpreet @jaystarshot @czentgr @tdcmeehan