Fix CVE-2017-1000487 security alert (#7173) (#7278)

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

src/thrift/Makefile

@@ -23,6 +23,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	dpkg-source -x thrift_$(THRIFT_VERSION_FULL).dsc
 	pushd thrift-$(THRIFT_VERSION)
 	patch -p1 < ../patch/THRIFT-3577-assertion-failed.patch
+	patch -p1 < ../patch/0002-cve-2017-1000487.patch
 	DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -d -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 	popd
 

src/thrift/patch/0002-cve-2017-1000487.patch

@@ -0,0 +1,25 @@
+From 99d698c5247284319248e287bbce2762490fb70b Mon Sep 17 00:00:00 2001
+From: xumia <xumia@microsoft.com>
+Date: Mon, 29 Mar 2021 09:57:38 +0000
+Subject: [PATCH] Fix CVE-2017-1000487 security alert
+
+---
+ contrib/thrift-maven-plugin/pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/thrift-maven-plugin/pom.xml b/contrib/thrift-maven-plugin/pom.xml
+index 76d0d4f3a..7313b69bf 100644
+--- a/contrib/thrift-maven-plugin/pom.xml
++++ b/contrib/thrift-maven-plugin/pom.xml
+@@ -75,7 +75,7 @@
+     <dependency>
+       <groupId>org.codehaus.plexus</groupId>
+       <artifactId>plexus-utils</artifactId>
+-      <version>3.0.14</version>
++      <version>3.0.16</version>
+     </dependency>
+     <dependency>
+       <groupId>org.mockito</groupId>
+-- 
+2.17.1
+