From eede5b131575b3ec1dbc45fae078bb7f2c3e992e Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Wed, 3 Apr 2024 20:32:15 +0200
Subject: [PATCH] HADOOP-19114. Upgrade to commons-compress 1.26.1 due to CVEs.
 (#6636)

This addresses two CVEs triggered by malformed archives

Important: Denial of Service CVE-2024-25710
Moderate: Denial of Service CVE-2024-26308

Contributed by PJ Fanning
---
 LICENSE-binary                                                | 2 +-
 .../org/apache/hadoop/mapred/uploader/FrameworkUploader.java  | 4 ++--
 hadoop-project/pom.xml                                        | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 084907d1dd..02869088e1 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -299,7 +299,7 @@ net.java.dev.jna:jna:5.2.0
 net.minidev:accessors-smart:1.2
 org.apache.avro:avro:1.9.2
 org.apache.commons:commons-collections4:4.2
-org.apache.commons:commons-compress:1.24.0
+org.apache.commons:commons-compress:1.26.1
 org.apache.commons:commons-configuration2:2.10.1
 org.apache.commons:commons-csv:1.9.0
 org.apache.commons:commons-digester:1.8.1
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
index 452078ff8e..0408b6c1ea 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
@@ -22,7 +22,7 @@
 import org.apache.commons.cli.HelpFormatter;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
-import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.BlockLocation;
@@ -337,7 +337,7 @@ void buildPackage()
         LOG.info("Adding " + fullPath);
         File file = new File(fullPath);
         try (FileInputStream inputStream = new FileInputStream(file)) {
-          ArchiveEntry entry = out.createArchiveEntry(file, file.getName());
+          TarArchiveEntry entry = out.createArchiveEntry(file, file.getName());
           out.putArchiveEntry(entry);
           IOUtils.copyBytes(inputStream, out, 1024 * 1024);
           out.closeArchiveEntry();
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index cb3018811c..a01a31289d 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -122,7 +122,7 @@
     <commons-cli.version>1.5.0</commons-cli.version>
     <commons-codec.version>1.15</commons-codec.version>
     <commons-collections.version>3.2.2</commons-collections.version>
-    <commons-compress.version>1.24.0</commons-compress.version>
+    <commons-compress.version>1.26.1</commons-compress.version>
     <commons-csv.version>1.9.0</commons-csv.version>
     <commons-io.version>2.14.0</commons-io.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>