[CELEBORN-2218] Bump lz4-java version from 1.8.0 to 1.8.1 to resolve CVE‐2025‐12183

SteNicholas · SteNicholas · commit 9d04928c42fa · 2025-12-03T20:09:27.000+08:00
diff --git a/client/src/main/java/org/apache/celeborn/client/compress/Lz4Decompressor.java b/client/src/main/java/org/apache/celeborn/client/compress/Lz4Decompressor.java
@@ -26,15 +26,15 @@
 
 import com.google.common.collect.ImmutableMap;
 import net.jpountz.lz4.LZ4Factory;
-import net.jpountz.lz4.LZ4FastDecompressor;
+import net.jpountz.lz4.LZ4SafeDecompressor;
 import net.jpountz.xxhash.XXHashFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class Lz4Decompressor extends Lz4Trait implements Decompressor {
   private static final Logger logger = LoggerFactory.getLogger(Lz4Decompressor.class);
 
-  private final LZ4FastDecompressor decompressor;
+  private final LZ4SafeDecompressor decompressor;
   private final Checksum checksum;
 
   private final Map<String, Supplier<XXHashFactory>> xxHashFactories =
@@ -47,7 +47,7 @@ public class Lz4Decompressor extends Lz4Trait implements Decompressor {
           XXHashFactory::unsafeInstance);
 
   public Lz4Decompressor(Option<String> xxHashInstance) {
-    decompressor = LZ4Factory.fastestInstance().fastDecompressor();
+    decompressor = LZ4Factory.safeInstance().safeDecompressor();
     checksum = getXXHashFactory(xxHashInstance).newStreamingHash32(DEFAULT_SEED).asChecksum();
   }
 
@@ -68,7 +68,7 @@ public int decompress(byte[] src, byte[] dst, int dstOff) throws IOException {
         System.arraycopy(src, HEADER_LENGTH, dst, dstOff, originalLen);
         break;
       case COMPRESSION_METHOD_LZ4:
-        int compressedLen2 = decompressor.decompress(src, HEADER_LENGTH, dst, dstOff, originalLen);
+        int compressedLen2 = decompressor.decompress(src, HEADER_LENGTH, originalLen, dst, dstOff);
         if (compressedLen != compressedLen2) {
           throw new IOException(
               "Compressed length corrupted! expected: "
diff --git a/dev/deps/dependencies-client-flink-1.16 b/dev/deps/dependencies-client-flink-1.16
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.17 b/dev/deps/dependencies-client-flink-1.17
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.18 b/dev/deps/dependencies-client-flink-1.18
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.19 b/dev/deps/dependencies-client-flink-1.19
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.20 b/dev/deps/dependencies-client-flink-1.20
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-2.0 b/dev/deps/dependencies-client-flink-2.0
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
 metrics-jvm/4.2.25//metrics-jvm-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-2.1 b/dev/deps/dependencies-client-flink-2.1
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
 metrics-jvm/4.2.25//metrics-jvm-4.2.25.jar
diff --git a/dev/deps/dependencies-client-mr b/dev/deps/dependencies-client-mr
@@ -134,7 +134,7 @@ kerby-xdr/1.0.1//kerby-xdr-1.0.1.jar
 kotlin-stdlib-common/1.4.10//kotlin-stdlib-common-1.4.10.jar
 kotlin-stdlib/1.4.10//kotlin-stdlib-1.4.10.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-tez b/dev/deps/dependencies-client-tez
@@ -107,7 +107,7 @@ kerby-util/1.0.1//kerby-util-1.0.1.jar
 kerby-xdr/1.0.1//kerby-xdr-1.0.1.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
 log4j/1.2.17//log4j-1.2.17.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-server b/dev/deps/dependencies-server
@@ -79,7 +79,7 @@ log4j-1.2-api/2.24.3//log4j-1.2-api-2.24.3.jar
 log4j-api/2.24.3//log4j-api-2.24.3.jar
 log4j-core/2.24.3//log4j-core-2.24.3.jar
 log4j-slf4j-impl/2.24.3//log4j-slf4j-impl-2.24.3.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.8.1//lz4-java-1.8.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/pom.xml b/pom.xml
@@ -91,7 +91,7 @@
     <leveldb.version>1.8</leveldb.version>
     <log4j2.version>2.24.3</log4j2.version>
     <disruptor.version>3.4.4</disruptor.version>
-    <lz4-java.version>1.8.0</lz4-java.version>
+    <lz4-java.version>1.8.1</lz4-java.version>
     <mockito.version>4.11.0</mockito.version>
     <mockito-scalatest.version>1.17.14</mockito-scalatest.version>
     <netty.version>4.1.118.Final</netty.version>
diff --git a/project/CelebornBuild.scala b/project/CelebornBuild.scala
@@ -38,7 +38,7 @@ import CelebornCommonSettings._
 object Dependencies {
 
   val zstdJniVersion = sparkClientProjects.map(_.zstdJniVersion).getOrElse("1.5.7-1")
-  val lz4JavaVersion = sparkClientProjects.map(_.lz4JavaVersion).getOrElse("1.8.0")
+  val lz4JavaVersion = sparkClientProjects.map(_.lz4JavaVersion).getOrElse("1.8.1")
 
   // Dependent library versions
   val apLoaderVersion = "4.0-10"
