fix CVE-2020-8908

(cherry picked from commit 91f99f3b4d680c33a2a99c487eea7265a5f6261e)

CVE-2020-8908.patch

@@ -0,0 +1,48 @@
+From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001
+From: glorioso <glorioso@google.com>
+Date: Wed, 26 Aug 2020 10:02:56 -0700
+Subject: [PATCH] Deprecate Files.createTempDir(), noting that better
+ alternatives exist for Android as well as for users running Java 7 or later.
+
+RELNOTES=`io`: Deprecated `Files.createTempDir()`.
+
+-------------
+Created by MOE: https://github.com/google/moe
+MOE_MIGRATED_REVID=328552787
+---
+ guava/src/com/google/common/io/Files.java | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/guava/src/com/google/common/io/Files.java b/guava/src/com/google/common/io/Files.java
+index 0d6cfc1..990a6a4 100644
+--- a/guava/src/com/google/common/io/Files.java
++++ b/guava/src/com/google/common/io/Files.java
+@@ -393,12 +393,24 @@ public final class Files {
+    * be exploited to create security vulnerabilities, especially when executable files are to be
+    * written into the directory.
+    *
++   *  <p>Depending on the environmment that this code is run in, the system temporary directory (and
++   *  thus the directory this method creates) may be more visible that a program would like - files
++   *  written to this directory may be read or overwritten by hostile programs running on the same
++   *   machine.
++   *
+    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
+    * and that it will not be called thousands of times per second.
+    *
+    * @return the newly-created directory
+    * @throws IllegalStateException if the directory could not be created
+-   */
++   * @deprecated For Android users, see the <a
++   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
++   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
++   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
++   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
++   *     java.nio.file.Path#toFile() toFile()} if needed.
++   */
++  @Deprecated
+   public static File createTempDir() {
+     File baseDir = new File(System.getProperty("java.io.tmpdir"));
+     String baseName = System.currentTimeMillis() + "-";
+-- 
+2.23.0
+

guava20.spec

@@ -1,12 +1,13 @@
 Name:           guava20
 Version:        20.0
-Release:        9
+Release:        10
 Summary:        Google Libraries for Java
 License:        ASL 2.0 and CC0
 URL:            https://github.com/google/guava
 Source0:        https://github.com/google/guava/archive/v%{version}.tar.gz
 BuildArch:      noarch
 Patch0000:      0001-Avoid-presizing-arrays.patch
+Patch0001:      CVE-2020-8908.patch
 BuildRequires:  maven-local mvn(com.google.code.findbugs:jsr305) mvn(junit:junit)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin) mvn(org.codehaus.mojo:build-helper-maven-plugin)
 BuildRequires:  mvn(org.sonatype.oss:oss-parent:pom:)
@@ -63,5 +64,8 @@ find -name '*.java' | xargs sed -ri "s/^import .*\.($annotations);//;s/@($annota
 %doc CONTRIBUTORS README*
 
 %changelog
-* Thu Dec 5 2019 zhujunhao <zhujunhao5@huawei.com> 20.0-9
+* Fri Feb 26 2021 zhanghua <zhanghua40@huawei.com> - 20.0-10
+- fix CVE-2020-8908
+
+* Thu Dec 5 2019 zhujunhao <zhujunhao5@huawei.com> - 20.0-9
 - Package init