pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon apache

[fix][sec] Upgrade avro to 1.12.1

Open lhotari opened this issue 1 month ago • 3 comments

Motivation

avro 1.12.1 contains 4 security fixes: https://avro.apache.org/blog/2025/10/16/avro-1.12.1/

Modifications

Upgrade avro from 1.12.0 to 1.12.1

Blocked by Avro bug causing StackOverflowError with recursive data structures

reported as https://issues.apache.org/jira/browse/AVRO-4209

Documentation

  • [ ] doc
  • [ ] doc-required
  • [x] doc-not-needed
  • [ ] doc-complete

lhotari avatar Nov 17 '25 07:11 lhotari

The change https://github.com/apache/avro/pull/3304 causes the StackOverflowError issue.

  Caused by: java.lang.StackOverflowError
  	at org.apache.avro.specific.SpecificData.createSchema(SpecificData.java:492)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:673)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:548)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)

lhotari avatar Nov 20 '25 12:11 lhotari

Issue reported to Avro project: https://issues.apache.org/jira/browse/AVRO-4209

lhotari avatar Nov 20 '25 18:11 lhotari

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 38.63%. Comparing base (212ee6a) to head (e1ac129). :warning: Report is 6 commits behind head on master.

:exclamation: There is a different number of reports uploaded between BASE (212ee6a) and HEAD (e1ac129). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (212ee6a) HEAD (e1ac129)
unittests 2 1
Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #24992       +/-   ##
=============================================
- Coverage     74.28%   38.63%   -35.66%     
+ Complexity    34065    13325    -20740     
=============================================
  Files          1920     1863       -57     
  Lines        150302   146139     -4163     
  Branches      17450    16964      -486     
=============================================
- Hits         111656    56458    -55198     
- Misses        29740    82057    +52317     
+ Partials       8906     7624     -1282
Flag Coverage Δ
inttests 26.41% <ø> (-0.05%) :arrow_down:
systests 22.95% <ø> (+0.04%) :arrow_up:
unittests 34.79% <ø> (-39.03%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more. see 1417 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Nov 21 '25 06:11 codecov-commenter