[CVE-2018-10237]: Upgrade guava to 24.1.1-jre

This upgrade fixes CVE-2018-10237 [1]: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker- provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. [1] https://nvd.nist.gov/vuln/detail/CVE-2018-10237 This also adds dependency on j2objc-annotations to prevent the following warning during the build: INFO: From Building java/com/google/gerrit/lucene/liblucene.jar (12 source files): warning: unknown enum constant ReflectionSupport$Level.FULL reason: class file for com.google.j2objc.annotations.ReflectionSupport$Level not found Bug: Issue 9952 Change-Id: Iea79ee7d93c4b7c85479b5ec01ee07e19beed611
2018-11-01 15:46:39 +09:00 · 2018-11-01 15:46:39 +09:00 · b0618f9b94
parent ec46d92a77
commit b0618f9b94
3 changed files with 19 additions and 3 deletions
--- a/6
+++ b/6
@ -219,6 +219,12 @@ maven_jar(
    sha1 = GUAVA_BIN_SHA1,
 )

+maven_jar(
+    name = "j2objc",
+    artifact = "com.google.j2objc:j2objc-annotations:1.1",
+    sha1 = "ed28ded51a8b1c6b112568def5f4b455e6809019",
+)
+
 maven_jar(
    name = "velocity",
    artifact = "org.apache.velocity:velocity:1.7",
--- a/lib/BUILD
+++ b/lib/BUILD
@ -75,11 +75,21 @@ java_library(
    runtime_deps = [":protobuf"],
 )

+java_library(
+    name = "j2objc",
+    data = ["//lib:LICENSE-Apache2.0"],
+    visibility = ["//visibility:public"],
+    exports = ["@j2objc//jar"],
+)
+
 java_library(
    name = "guava",
    data = ["//lib:LICENSE-Apache2.0"],
    visibility = ["//visibility:public"],
-    exports = ["@guava//jar"],
+    exports = [
+        ":j2objc",
+        "@guava//jar",
+    ],
 )

 java_library(
--- a/lib/guava.bzl
+++ b/lib/guava.bzl
@ -1,5 +1,5 @@
-GUAVA_VERSION = "22.0"
+GUAVA_VERSION = "24.1.1-jre"

-GUAVA_BIN_SHA1 = "3564ef3803de51fb0530a8377ec6100b33b0d073"
+GUAVA_BIN_SHA1 = "2e3014320a8005e3f3c1800cb246ed42db8cab81"

 GUAVA_DOC_URL = "https://google.github.io/guava/releases/" + GUAVA_VERSION + "/api/docs/"