Patch guava for CVE-2020-8908 (#6036)

SPECS/guava/CVE-2020-8908.patch

@@ -0,0 +1,80 @@
+From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001
+From: glorioso <glorioso@google.com>
+Date: Wed, 26 Aug 2020 10:02:56 -0700
+Subject: [PATCH] Deprecate Files.createTempDir(), noting that better
+ alternatives exist for Android as well as for users running Java 7 or later.
+
+RELNOTES=`io`: Deprecated `Files.createTempDir()`.
+
+-------------
+Created by MOE: https://github.com/google/moe
+MOE_MIGRATED_REVID=328552787
+---
+ android/guava/src/com/google/common/io/Files.java | 12 ++++++++++++
+ guava/src/com/google/common/io/Files.java         | 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/android/guava/src/com/google/common/io/Files.java b/android/guava/src/com/google/common/io/Files.java
+index 6a763f9..4dee6dc 100644
+--- a/android/guava/src/com/google/common/io/Files.java
++++ b/android/guava/src/com/google/common/io/Files.java
+@@ -386,6 +386,11 @@ public final class Files {
+    * be exploited to create security vulnerabilities, especially when executable files are to be
+    * written into the directory.
+    *
++   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
++   * thus the directory this method creates) may be more visible that a program would like - files
++   * written to this directory may be read or overwritten by hostile programs running on the same
++   * machine.
++   *
+    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
+    * and that it will not be called thousands of times per second.
+    *
+@@ -394,7 +399,14 @@ public final class Files {
+    *
+    * @return the newly-created directory
+    * @throws IllegalStateException if the directory could not be created
++   * @deprecated For Android users, see the <a
++   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
++   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
++   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
++   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
++   *     java.nio.file.Path#toFile() toFile()} if needed.
+    */
++  @Deprecated
+   public static File createTempDir() {
+     File baseDir = new File(System.getProperty("java.io.tmpdir"));
+     String baseName = System.currentTimeMillis() + "-";
+diff --git a/guava/src/com/google/common/io/Files.java b/guava/src/com/google/common/io/Files.java
+index 6a763f9..4dee6dc 100644
+--- a/guava/src/com/google/common/io/Files.java
++++ b/guava/src/com/google/common/io/Files.java
+@@ -386,6 +386,11 @@ public final class Files {
+    * be exploited to create security vulnerabilities, especially when executable files are to be
+    * written into the directory.
+    *
++   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
++   * thus the directory this method creates) may be more visible that a program would like - files
++   * written to this directory may be read or overwritten by hostile programs running on the same
++   * machine.
++   *
+    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
+    * and that it will not be called thousands of times per second.
+    *
+@@ -394,7 +399,14 @@ public final class Files {
+    *
+    * @return the newly-created directory
+    * @throws IllegalStateException if the directory could not be created
++   * @deprecated For Android users, see the <a
++   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
++   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
++   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
++   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
++   *     java.nio.file.Path#toFile() toFile()} if needed.
+    */
++  @Deprecated
+   public static File createTempDir() {
+     File baseDir = new File(System.getProperty("java.io.tmpdir"));
+     String baseName = System.currentTimeMillis() + "-";
+-- 
+2.17.1

SPECS/guava/guava.spec

@@ -17,7 +17,7 @@
 Summary:        Google Core Libraries for Java
 Name:           guava
 Version:        25.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        Apache-2.0 AND CC0-1.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,6 +26,7 @@ URL:            https://github.com/google/guava
 Source0:        https://github.com/google/guava/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        %{name}-build.tar.xz
 Patch0:         %{name}-%{version}-java8compat.patch
+Patch1:         CVE-2020-8908.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  javapackages-local-bootstrap
@@ -63,6 +64,7 @@ guava-testlib provides additional functionality for conveninent unit testing
 %prep
 %setup -q -a1
 %patch0 -p1
+%patch1 -p1
 
 find . -name '*.jar' -delete
 
@@ -140,6 +142,9 @@ cp -r %{name}-testlib/target/site/apidocs %{buildroot}%{_javadocdir}/%{name}/%{n
 %files testlib -f .mfiles-guava-testlib
 
 %changelog
+* Wed Aug 23 2023 Dallas Delaney <dadelan@microsoft.com> 25.0-7
+- Add patch for CVE-2020-8908
+
 * Fri Mar 17 2023 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 25.0-6
 - Moved from extended to core
 - License verified