flink icon indicating copy to clipboard operation
flink copied to clipboard

Published 20 hours ago verified publisher icon apache

Fix CVE-2022-25168

Open th555555 opened this issue 6 months ago • 4 comments
trafficstars

This PR addresses a critical security vulnerability (Command Injection) in the extractTarFileUsingTar method of CompressionUtils.

Modified extractTarFileUsingTar to use a stream-based approach that passes file content through stdin instead of passing file paths to shell commands This approach eliminates the possibility of command injection via malicious file paths Maintains the same functionality while improving security

References https://www.cve.org/CVERecord?id=CVE-2022-25168 https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746

This change is a trivial rework / code cleanup without any test coverage.

th555555 avatar May 10 '25 09:05 th555555

CI report:

  • d10efa900198b5781ac4b288e64483e72374ffb2 Azure: FAILURE
Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

flinkbot avatar May 10 '25 09:05 flinkbot

@th555555 Looking at our process , we need a Jira unless this is a hotfix. I suggest describing in more detail the approach you are taking in resolving this.

davidradl avatar May 12 '25 08:05 davidradl

the CI failure appears to be because of running out of space - I guess this is is either due to the fix or infrastructure (disk cleanup). If you think it is due to the disk needing cleating out - I suggest mailing the dev list.

davidradl avatar May 12 '25 08:05 davidradl

the CI failure appears to be because of running out of space - I guess this is is either due to the fix or infrastructure (disk cleanup). If you think it is due to the disk needing cleating out - I suggest mailing the dev list.

It's a bot. Don't bother.

androidacy-user avatar May 21 '25 23:05 androidacy-user

This PR is being marked as stale since it has not had any activity in the last 90 days. If you would like to keep this PR alive, please leave a comment asking for a review. If the PR has merge conflicts, update it with the latest from the base branch.

If you are having difficulty finding a reviewer, please reach out to the community, contact details can be found here: https://flink.apache.org/what-is-flink/community/

If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed.

github-actions[bot] avatar Aug 20 '25 06:08 github-actions[bot]

This PR has been closed since it has not had any activity in 120 days. If you feel like this was a mistake, or you would like to continue working on it, please feel free to re-open the PR and ask for a review.

github-actions[bot] avatar Sep 19 '25 06:09 github-actions[bot]