Fix CVE-2017-1000487 security alert (#7173)

#### Why I did it Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. #### How I did it Upgrade to 3.0.16
sonic-net · Apr 2, 2021 · 63625fc · 63625fc
1 parent dfda130
commit 63625fc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/src/thrift/Makefile b/src/thrift/Makefile
@@ -26,6 +26,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# saithrift implementation relies on the bug in union serialization
 	# (https://jira.apache.org/jira/browse/THRIFT-3650)
 	patch -p1 < ../patch/0001-Revert-THRIFT-3650-incorrect-union-serialization.patch
+	patch -p1 < ../patch/0002-cve-2017-1000487.patch
 	CXXFLAGS="-DFORCE_BOOST_SMART_PTR" DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -d -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 	popd
 

diff --git a/src/thrift/patch/0002-cve-2017-1000487.patch b/src/thrift/patch/0002-cve-2017-1000487.patch
@@ -0,0 +1,25 @@
+From 99d698c5247284319248e287bbce2762490fb70b Mon Sep 17 00:00:00 2001
+From: xumia <xumia@microsoft.com>
+Date: Mon, 29 Mar 2021 09:57:38 +0000
+Subject: [PATCH] Fix CVE-2017-1000487 security alert
+
+---
+ contrib/thrift-maven-plugin/pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/thrift-maven-plugin/pom.xml b/contrib/thrift-maven-plugin/pom.xml
+index 76d0d4f3a..7313b69bf 100644
+--- a/contrib/thrift-maven-plugin/pom.xml
++++ b/contrib/thrift-maven-plugin/pom.xml
+@@ -75,7 +75,7 @@
+     <dependency>
+       <groupId>org.codehaus.plexus</groupId>
+       <artifactId>plexus-utils</artifactId>
+-      <version>3.0.14</version>
++      <version>3.0.16</version>
+     </dependency>
+     <dependency>
+       <groupId>org.mockito</groupId>
+-- 
+2.17.1
+