From 88e7f086e4eb80771b1379a3a51f4bbe242838b8 Mon Sep 17 00:00:00 2001
From: Dilli-Babu-Godari <godari728@gmail.com>
Date: Fri, 15 Nov 2024 10:40:18 +0530
Subject: [PATCH] Upgrade gson and grpc to address CVE-2022-25647  Upgraded
 gson to version 2.8.9 and grpc to version 1.68.0 to fix security
 vulnerability CVE-2022-25647. Versions of com.google.code.gson:gson prior to
 2.8.9 were susceptible to deserialization of untrusted data through the
 writeReplace() method in internal classes, potentially leading to a Denial of
 Service (DoS) attack.

This update ensures safer data handling and mitigates the risk of
exploitation from this vulnerability.

Co-authored-by: infvg <ialhazmim@gmail.com>
Resolves: CVE-2022-25647
---
 pom.xml                                    |  2 +-
 presto-bigquery/pom.xml                    |  7 ++++---
 presto-function-namespace-managers/pom.xml | 10 ++++++++++
 presto-pinot-toolkit/pom.xml               |  4 ++--
 presto-pinot/pom.xml                       |  2 +-
 5 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index 54bf984a68083..939b7dda2019d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -94,7 +94,7 @@
         <air.test.parallel>methods</air.test.parallel>
         <air.test.thread-count>2</air.test.thread-count>
         <air.test.jvmsize>4g</air.test.jvmsize>
-        <grpc.version>1.64.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
 
         <air.javadoc.lint>-missing</air.javadoc.lint>
     </properties>
diff --git a/presto-bigquery/pom.xml b/presto-bigquery/pom.xml
index 97a39676ff774..81f83280d0640 100644
--- a/presto-bigquery/pom.xml
+++ b/presto-bigquery/pom.xml
@@ -14,6 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencyManagement>
@@ -77,13 +78,13 @@
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-context</artifactId>
-                <version>1.64.0</version>
+                <version>${grpc.version}</version>
             </dependency>
 
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-protobuf-lite</artifactId>
-                <version>1.64.0</version>
+                <version>${grpc.version}</version>
             </dependency>
 
             <!-- Pinned version is required. -->
@@ -91,7 +92,7 @@
             <dependency>
                 <groupId>io.perfmark</groupId>
                 <artifactId>perfmark-api</artifactId>
-                <version>0.26.0</version>
+                <version>0.27.0</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
diff --git a/presto-function-namespace-managers/pom.xml b/presto-function-namespace-managers/pom.xml
index 7cb8a34a8afbe..f8d9736816401 100644
--- a/presto-function-namespace-managers/pom.xml
+++ b/presto-function-namespace-managers/pom.xml
@@ -15,6 +15,16 @@
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.google.code.gson</groupId>
+                <artifactId>gson</artifactId>
+                <version>2.8.9</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>com.facebook.airlift</groupId>
diff --git a/presto-pinot-toolkit/pom.xml b/presto-pinot-toolkit/pom.xml
index 3e94aaaedaec9..03a9840f5538e 100644
--- a/presto-pinot-toolkit/pom.xml
+++ b/presto-pinot-toolkit/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
-        <grpc.version>1.41.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencies>
@@ -383,7 +383,7 @@
         <dependency>
             <groupId>io.perfmark</groupId>
             <artifactId>perfmark-api</artifactId>
-            <version>0.23.0</version>
+            <version>0.27.0</version>
         </dependency>
 
         <dependency>
diff --git a/presto-pinot/pom.xml b/presto-pinot/pom.xml
index 756f4bc968cdf..85c204c22426d 100644
--- a/presto-pinot/pom.xml
+++ b/presto-pinot/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
-        <grpc.version>1.41.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencies>