From 63625fc816fc0faac5df3c133ac82c3d517ebfdb Mon Sep 17 00:00:00 2001
From: xumia <59720581+xumia@users.noreply.github.com>
Date: Thu, 1 Apr 2021 13:45:06 +0800
Subject: [PATCH] Fix CVE-2017-1000487 security alert (#7173)

#### Why I did it
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

#### How I did it
Upgrade to 3.0.16
---
 src/thrift/Makefile                          |  1 +
 src/thrift/patch/0002-cve-2017-1000487.patch | 25 ++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 src/thrift/patch/0002-cve-2017-1000487.patch

diff --git a/src/thrift/Makefile b/src/thrift/Makefile
index 2d1d4187135f..2580002fd457 100644
--- a/src/thrift/Makefile
+++ b/src/thrift/Makefile
@@ -26,6 +26,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# saithrift implementation relies on the bug in union serialization
 	# (https://jira.apache.org/jira/browse/THRIFT-3650)
 	patch -p1 < ../patch/0001-Revert-THRIFT-3650-incorrect-union-serialization.patch
+	patch -p1 < ../patch/0002-cve-2017-1000487.patch
 	CXXFLAGS="-DFORCE_BOOST_SMART_PTR" DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -d -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 	popd
 
diff --git a/src/thrift/patch/0002-cve-2017-1000487.patch b/src/thrift/patch/0002-cve-2017-1000487.patch
new file mode 100644
index 000000000000..ee9a18d150ae
--- /dev/null
+++ b/src/thrift/patch/0002-cve-2017-1000487.patch
@@ -0,0 +1,25 @@
+From 99d698c5247284319248e287bbce2762490fb70b Mon Sep 17 00:00:00 2001
+From: xumia <xumia@microsoft.com>
+Date: Mon, 29 Mar 2021 09:57:38 +0000
+Subject: [PATCH] Fix CVE-2017-1000487 security alert
+
+---
+ contrib/thrift-maven-plugin/pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/thrift-maven-plugin/pom.xml b/contrib/thrift-maven-plugin/pom.xml
+index 76d0d4f3a..7313b69bf 100644
+--- a/contrib/thrift-maven-plugin/pom.xml
++++ b/contrib/thrift-maven-plugin/pom.xml
+@@ -75,7 +75,7 @@
+     <dependency>
+       <groupId>org.codehaus.plexus</groupId>
+       <artifactId>plexus-utils</artifactId>
+-      <version>3.0.14</version>
++      <version>3.0.16</version>
+     </dependency>
+     <dependency>
+       <groupId>org.mockito</groupId>
+-- 
+2.17.1
+