[
https://issues.apache.org/jira/browse/IMPALA-14269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021941#comment-18021941
]
ASF subversion and git services commented on IMPALA-14269:
----------------------------------------------------------
Commit 57eb5f653bcfc766fc3982774175f0a7439dd8a5 in impala's branch
refs/heads/master from Laszlo Gaal
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=57eb5f653 ]
IMPALA-14449, IMPALA-14269: Fix Red Hat / Rocky 9 builds, ORC buffer overflow
Downstream error reports pointed out that the toolchain version picked
up for IMPALA-14139 contains toolchain binaries for Red Hat 9 (and
compatibles) that require at least the 9.5 minor version because of
OpenSSL library requirements. This was caused by the toolchain binary
build process not using package repo pinning for the redhat9 build
container definition, which caused the container process to install
"latest" packages, in this case packages released in Rocky / Red Hat
9.5.
This patch bumps the toolchain ID to a version in which the redhat9
binaries were produced in a build container "moved back in time" to the
9.2 release by pinning the package repos to the Rocky Linux 9.2 state,
using the Rocky Vault.
The patch also picks up a buffer overflow mitigation for the ORC
library.
Change-Id: I5c6921afdc69a4a6644b619de6b8d4e4cc69e601
Reviewed-on: http://gerrit.cloudera.org:8080/23448
Reviewed-by: Riza Suminto <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Bump ORC C++ version to 1.7.9-p11 to fix heap buffer overflow
> -------------------------------------------------------------
>
> Key: IMPALA-14269
> URL: https://issues.apache.org/jira/browse/IMPALA-14269
> Project: IMPALA
> Issue Type: Dependency upgrade
> Reporter: Pranav Yogi Lodha
> Assignee: Pranav Yogi Lodha
> Priority: Major
>
> A heap-based buffer overflow vulnerability was identified in Apache ORC's C++
> LZO decompression implementation. Specially crafted malformed ORC files can
> cause the decompressor to allocate a 250-byte buffer followed by a 295-byte
> copy, leading to memory corruption. This patch incorporates fix P11 which
> corrects the unsafe memory copy, mitigating the vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
