From 6d07aa41e84fba5052cc66434b2146e74d04280a Mon Sep 17 00:00:00 2001
From: maltesander <malte.sander.it@gmail.com>
Date: Thu, 7 Nov 2024 17:07:58 +0100
Subject: [PATCH 1/3] fix (nifi): CVE-2024-36114

---
 CHANGELOG.md                                  |  2 +
 ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++
 ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch
 create mode 100644 nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c8ed5a83..ce72fa037 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,6 +63,7 @@ All notable changes to this project will be documented in this file.
 
 - hbase: link to phoenix server jar ([#811]).
 - trino: Correctly report Trino version ([#881]).
+- nifi: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#xxx]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -106,6 +107,7 @@ All notable changes to this project will be documented in this file.
 [#914]: https://github.com/stackabletech/docker-images/pull/914
 [#917]: https://github.com/stackabletech/docker-images/pull/917
 [#920]: https://github.com/stackabletech/docker-images/pull/920
+[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx
 
 ## [24.7.0] - 2024-07-24
 
diff --git a/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch b/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch
new file mode 100644
index 000000000..aa6663c92
--- /dev/null
+++ b/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch
@@ -0,0 +1,37 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/pom.xml b/pom.xml
+index 0437c2b949..1a06052b3b 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -155,6 +155,12 @@
+     </properties>
+     <dependencyManagement>
+         <dependencies>
++            <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++            <dependency>
++                <groupId>io.airlift</groupId>
++                <artifactId>aircompressor</artifactId>
++                <version>0.27</version>
++            </dependency>
+             <!-- The following dependency management entries exist because these are jars
+             that live in the top-level lib directory and will be present in the parent-first
+             classloading of all child nars.  Therefore we dont want child nars using different
diff --git a/nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch b/nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch
new file mode 100644
index 000000000..5415c0556
--- /dev/null
+++ b/nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch
@@ -0,0 +1,37 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index e980e507c6..01eb16795d 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -98,6 +98,12 @@ language governing permissions and limitations under the License. -->
+         </plugins>
+     </build>
+     <dependencies>
++        <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++        <dependency>
++            <groupId>io.airlift</groupId>
++            <artifactId>aircompressor</artifactId>
++            <version>0.27</version>
++        </dependency>
+         <dependency>
+             <groupId>ch.qos.logback</groupId>
+             <artifactId>logback-classic</artifactId>

From d3caa42c71abd17f3abcb422a69c59e0624a82e5 Mon Sep 17 00:00:00 2001
From: maltesander <malte.sander.it@gmail.com>
Date: Thu, 7 Nov 2024 17:09:19 +0100
Subject: [PATCH 2/3] adapted changelog

---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce72fa037..376ed754e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file.
 
 - hbase: link to phoenix server jar ([#811]).
 - trino: Correctly report Trino version ([#881]).
-- nifi: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#xxx]).
+- nifi: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -107,7 +107,7 @@ All notable changes to this project will be documented in this file.
 [#914]: https://github.com/stackabletech/docker-images/pull/914
 [#917]: https://github.com/stackabletech/docker-images/pull/917
 [#920]: https://github.com/stackabletech/docker-images/pull/920
-[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx
+[#924]: https://github.com/stackabletech/docker-images/pull/924
 
 ## [24.7.0] - 2024-07-24
 

From e2b13545e658ad4faa4393fa3fc6a5670fbdebfc Mon Sep 17 00:00:00 2001
From: Malte Sander <malte.sander.it@gmail.com>
Date: Tue, 12 Nov 2024 11:51:54 +0100
Subject: [PATCH 3/3] fix changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 376ed754e..b56a2d8da 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file.
 
 - hbase: link to phoenix server jar ([#811]).
 - trino: Correctly report Trino version ([#881]).
-- nifi: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
+- nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797