Skip to content

DRILL-8520: Update Parquet due to CVE#2984

Closed
cgivre wants to merge 4 commits intoapache:masterfrom
cgivre:update_parquet
Closed

DRILL-8520: Update Parquet due to CVE#2984
cgivre wants to merge 4 commits intoapache:masterfrom
cgivre:update_parquet

Conversation

@cgivre
Copy link
Copy Markdown
Contributor

@cgivre cgivre commented Apr 10, 2025

DRILL-8520: Update Parquet due to CVE

Description

Updated parquet libraries to latest version due to CVE.

Documentation

No user facing changes.

Testing

(Please describe how this PR has been tested.)

@cgivre cgivre self-assigned this Apr 10, 2025
@cgivre cgivre added security backport-to-stable This bug fix is applicable to the latest stable release and should be considered for inclusion there labels Apr 10, 2025
@cgivre cgivre marked this pull request as draft April 10, 2025 20:05
rymarm
rymarm reviewed Apr 25, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@rymarm rymarm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cgivre Hi Charles! Do you plan to make any more changes in this PR? It has draft status.

I’ve reviewed everything, and it all looks good to me — except for the file exec/java-exec/src/main/java/org/apache/parquet/hadoop/ParquetColumnChunkPageWriteStore.java.

Comment thread exec/java-exec/src/main/java/org/apache/parquet/hadoop/ParquetColumnChunkPageWriteStore.java
Copy link
Copy Markdown
Member

@rymarm rymarm Apr 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cgivre Why did you do the changes? Correct me if I'm missing something, but they don’t seem to add value or improve code clarity.

Copy link
Copy Markdown
Contributor Author

@cgivre cgivre Apr 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rymarm The unit tests weren't passing. Honestly, I could use some help here. @jnturton believes that Drill is pulling in an old version of parquet in testing and that is why this keeps failing. Any help would be greatly appreciated.

Copy link
Copy Markdown
Member

@rymarm rymarm Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cgivre I'll help with this — I'm working on it now. The issue isn't due to pulling in an older version of Parquet. Instead, it stems from our temporary replacement of a few Parquet library class implementations to address specific issues. Since the internal API has changed, we now need to update our implementations accordingly.

https://issues.apache.org/jira/browse/PARQUET-2026
https://issues.apache.org/jira/browse/PARQUET-1006

@jnturton
Copy link
Copy Markdown
Contributor

jnturton commented Apr 30, 2025

Nice find @rymarm. While weeding older Parquet version of out of the Maven dependency tree I added this change to what @cgivre already has.

-    <hive.parquet.version>1.8.3</hive.parquet.version>
+    <hive.parquet.version>1.15.1</hive.parquet.version>

@rymarm
Copy link
Copy Markdown
Member

rymarm commented Apr 30, 2025

@cgivre @jnturton I've raised a PR to address this task - please take a look: #2986

@rymarm rymarm mentioned this pull request Apr 30, 2025
Merged
@cgivre
Copy link
Copy Markdown
Contributor Author

cgivre commented Apr 30, 2025

Closed due to DRILL-8521.

@cgivre cgivre closed this Apr 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rymarm rymarm rymarm left review comments

Assignees

@cgivre cgivre

Labels

backport-to-stable This bug fix is applicable to the latest stable release and should be considered for inclusion there code-cleanup dependencies security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cgivre @jnturton @rymarm