[
https://issues.apache.org/jira/browse/SPARK-54567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
PJ Fanning updated SPARK-54567:
-------------------------------
Description:
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
https://github.com/search?q=repo%3Aapache%2Fspark%20lz4-java&type=code
The fork jar is a drop in replacement (same package name as the original jar)
Use of the fastDecompressor is probably worrisome. If you use the
safeDecompressor even with the old jar, this should be safer.
https://github.com/apache/spark/blob/7251e95e22cc9afd39bcae3ad0ef56b7843ac0fb/core/src/main/scala/org/apache/spark/io/CompressionCodec.scala#L158
was:
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
https://github.com/search?q=repo%3Aapache%2Fspark%20lz4-java&type=code
The fork jar is a drop in replacement (same package name as the original jar)
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: SPARK-54567
> URL: https://issues.apache.org/jira/browse/SPARK-54567
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 4.0.1
> Reporter: PJ Fanning
> Priority: Major
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fspark%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
> Use of the fastDecompressor is probably worrisome. If you use the
> safeDecompressor even with the old jar, this should be safer.
> https://github.com/apache/spark/blob/7251e95e22cc9afd39bcae3ad0ef56b7843ac0fb/core/src/main/scala/org/apache/spark/io/CompressionCodec.scala#L158
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
