Upgrade libthrift to 0.14.1 due CVE-2020-13949

denodo-research-labs · jaystarshot · commit d6c5af64c85e · 2025-02-19T08:43:23.000-08:00
diff --git a/pom.xml b/pom.xml
@@ -1468,7 +1468,7 @@
             <dependency>
                 <groupId>org.apache.thrift</groupId>
                 <artifactId>libthrift</artifactId>
-                <version>0.9.3-1</version>
+                <version>0.14.1</version>
                 <exclusions>
                     <exclusion>
                         <groupId>org.apache.httpcomponents</groupId>
@@ -1478,6 +1478,10 @@
                         <groupId>org.apache.httpcomponents</groupId>
                         <artifactId>httpclient</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.tomcat.embed</groupId>
+                        <artifactId>tomcat-embed-core</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
 
diff --git a/presto-accumulo/pom.xml b/presto-accumulo/pom.xml
@@ -19,6 +19,17 @@
         <dep.reload4j.version>1.2.18.3</dep.reload4j.version>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.thrift</groupId>
+                <artifactId>libthrift</artifactId>
+                <!-- libthrift >= 0.14.1 not compatible with accumulo-minicluster 1.x -->
+                <version>0.9.3-1</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.accumulo</groupId>
diff --git a/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java b/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@@ -15,6 +15,7 @@
 
 import com.facebook.presto.hive.authentication.HiveMetastoreAuthentication;
 import com.google.common.net.HostAndPort;
+import org.apache.thrift.TConfiguration;
 import org.apache.thrift.transport.TSocket;
 import org.apache.thrift.transport.TTransport;
 import org.apache.thrift.transport.TTransportException;
@@ -217,5 +218,26 @@ public void flush()
                 throw rewriteException(e, address);
             }
         }
+
+        // Methods added in libthrift 0.14.0 and not present in Hive Metastore <= 3.1.2
+        @Override
+        public TConfiguration getConfiguration()
+        {
+            return TConfiguration.DEFAULT;
+        }
+
+        @Override
+        public void updateKnownMessageSize(long size)
+                throws TTransportException
+        {
+            // noop: method added in libthrift 0.14.0 and not present in Hive Metastore <= 3.1.2
+        }
+
+        @Override
+        public void checkReadBytesAvailable(long numBytes)
+                throws TTransportException
+        {
+            // noop: method added in libthrift 0.14.0 and not present in Hive Metastore <= 3.1.2
+        }
     }
 }
diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.java b/presto-hive/src/main/java/com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.java
@@ -15,6 +15,7 @@
 
 import com.facebook.presto.hive.ForHiveMetastore;
 import com.facebook.presto.hive.HiveClientConfig;
+import com.facebook.presto.spi.PrestoException;
 import com.google.common.collect.ImmutableMap;
 import org.apache.hadoop.hive.metastore.security.DelegationTokenIdentifier;
 import org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport;
@@ -24,6 +25,7 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.thrift.transport.TSaslClientTransport;
 import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
 
 import javax.inject.Inject;
 import javax.security.auth.callback.Callback;
@@ -40,6 +42,7 @@
 import java.util.Map;
 import java.util.Optional;
 
+import static com.facebook.presto.hive.HiveErrorCode.HIVE_METASTORE_ERROR;
 import static com.google.common.base.Preconditions.checkState;
 import static java.util.Objects.requireNonNull;
 import static javax.security.sasl.Sasl.QOP;
@@ -98,6 +101,9 @@ private TTransport authenticateWithToken(TTransport rawTransport, String tokenSt
         catch (IOException ex) {
             throw new UncheckedIOException(ex);
         }
+        catch (TTransportException e) {
+            throw new PrestoException(HIVE_METASTORE_ERROR, e);
+        }
     }
 
     private static class SaslClientCallbackHandler
@@ -175,5 +181,8 @@ private TTransport authenticateWithHost(TTransport rawTransport, String hiveMeta
         catch (IOException e) {
             throw new UncheckedIOException(e);
         }
+        catch (TTransportException e) {
+            throw new PrestoException(HIVE_METASTORE_ERROR, e);
+        }
     }
 }
