Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netty for openSUSE:Factory checked in at 2021-02-15 23:15:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netty (Old) and /work/SRC/openSUSE:Factory/.netty.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netty" Mon Feb 15 23:15:16 2021 rev:4 rq:871237 version:4.1.13 Changes: -------- --- /work/SRC/openSUSE:Factory/netty/netty.changes 2020-04-09 23:17:16.746307776 +0200 +++ /work/SRC/openSUSE:Factory/.netty.new.28504/netty.changes 2021-02-15 23:17:20.535489182 +0100 @@ -1,0 +2,7 @@ +Thu Feb 11 09:20:25 UTC 2021 - Fridrich Strba <[email protected]> + +- Added patch: + * netty-CVE-2021-21290.patch + + bsc#1182103, CVE-2021-21290 + +------------------------------------------------------------------- New: ---- netty-CVE-2021-21290.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netty.spec ++++++ --- /var/tmp/diff_new_pack.xEWg7j/_old 2021-02-15 23:17:21.243490239 +0100 +++ /var/tmp/diff_new_pack.xEWg7j/_new 2021-02-15 23:17:21.243490239 +0100 @@ -1,7 +1,7 @@ # # spec file for package netty # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,6 +36,7 @@ Patch2: 0003-Remove-conscrypt-ALPN.patch Patch3: 0004-Remove-jetty-ALPN.patch Patch4: netty-CVE-2020-11612.patch +Patch5: netty-CVE-2021-21290.patch BuildRequires: maven-local BuildRequires: mvn(ant-contrib:ant-contrib) BuildRequires: mvn(com.jcraft:jzlib) @@ -100,6 +101,7 @@ %patch3 -p1 %endif %patch4 -p1 +%patch5 -p1 # Missing Mavenized rxtx %pom_disable_module "transport-rxtx" ++++++ netty-CVE-2021-21290.patch ++++++ --- netty-netty-4.1.13.Final/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java 2021-02-11 09:47:00.013202675 +0100 +++ netty-netty-4.1.13.Final/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java 2021-02-11 09:47:19.465317664 +0100 @@ -3962,7 +3962,7 @@ @Test public void testReadBytesAndWriteBytesWithFileChannel() throws IOException { - File file = File.createTempFile("file-channel", ".tmp"); + File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); RandomAccessFile randomAccessFile = null; try { randomAccessFile = new RandomAccessFile(file, "rw"); @@ -4005,7 +4005,7 @@ @Test public void testGetBytesAndSetBytesWithFileChannel() throws IOException { - File file = File.createTempFile("file-channel", ".tmp"); + File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); RandomAccessFile randomAccessFile = null; try { randomAccessFile = new RandomAccessFile(file, "rw"); --- netty-netty-4.1.13.Final/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java 2021-02-11 09:47:00.017202698 +0100 +++ netty-netty-4.1.13.Final/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java 2021-02-11 09:49:19.942029838 +0100 @@ -18,6 +18,7 @@ import io.netty.buffer.ByteBuf; import io.netty.handler.codec.http.HttpConstants; import io.netty.util.internal.EmptyArrays; +import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -87,9 +88,9 @@ File tmpFile; if (getBaseDirectory() == null) { // create a temporary file - tmpFile = File.createTempFile(getPrefix(), newpostfix); + tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, null); } else { - tmpFile = File.createTempFile(getPrefix(), newpostfix, new File( + tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, new File( getBaseDirectory())); } if (deleteOnExit()) { --- netty-netty-4.1.13.Final/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java 2021-02-11 09:47:00.025202746 +0100 +++ netty-netty-4.1.13.Final/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java 2021-02-11 09:47:19.465317664 +0100 @@ -25,6 +25,7 @@ import io.netty.handler.stream.ChunkedNioStream; import io.netty.handler.stream.ChunkedStream; import io.netty.handler.stream.ChunkedWriteHandler; +import io.netty.util.internal.PlatformDependent; import org.junit.Test; import java.io.ByteArrayInputStream; @@ -46,7 +47,7 @@ FileOutputStream out = null; try { - TMP = File.createTempFile("netty-chunk-", ".tmp"); + TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); TMP.deleteOnExit(); out = new FileOutputStream(TMP); out.write(BYTES); --- netty-netty-4.1.13.Final/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java 2021-02-11 09:47:00.053202912 +0100 +++ netty-netty-4.1.13.Final/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java 2021-02-11 10:04:33.335429893 +0100 @@ -212,7 +212,7 @@ OutputStream out = null; File tmpFile = null; try { - tmpFile = File.createTempFile(prefix, suffix, WORKDIR); + tmpFile = PlatformDependent.createTempFile(prefix, suffix, WORKDIR); in = url.openStream(); out = new FileOutputStream(tmpFile); --- netty-netty-4.1.13.Final/common/src/main/java/io/netty/util/internal/PlatformDependent.java 2021-02-11 09:47:00.053202912 +0100 +++ netty-netty-4.1.13.Final/common/src/main/java/io/netty/util/internal/PlatformDependent.java 2021-02-11 10:18:02.976246106 +0100 @@ -27,9 +27,11 @@ import org.jctools.util.UnsafeAccess; import java.io.File; +import java.io.IOException; import java.lang.reflect.Method; import java.nio.ByteBuffer; import java.nio.ByteOrder; +import java.nio.file.Files; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.Deque; @@ -1166,6 +1168,23 @@ return true; } + public static File createTempFile(String prefix, String suffix, File directory) throws IOException { + if (javaVersion() >= 7) { + if (directory == null) { + return Files.createTempFile(prefix, suffix).toFile(); + } + return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); + } + if (directory == null) { + return File.createTempFile(prefix, suffix); + } + File file = File.createTempFile(prefix, suffix, directory); + // Try to adjust the perms, if this fails there is not much else we can do... + file.setReadable(false, false); + file.setReadable(true, true); + return file; + } + /** * Package private for testing purposes only! */ Only in netty-netty-4.1.13.Final/common/src/main/java/io/netty/util/internal: SuppressJava6Requirement.java --- netty-netty-4.1.13.Final/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java 2021-02-11 09:47:00.069203006 +0100 +++ netty-netty-4.1.13.Final/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java 2021-02-11 09:47:37.369423505 +0100 @@ -20,6 +20,7 @@ import io.netty.buffer.Unpooled; import io.netty.handler.codec.base64.Base64; import io.netty.util.CharsetUtil; +import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.SystemPropertyUtil; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -29,6 +30,7 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.OutputStream; +import java.nio.file.Files; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; @@ -236,7 +238,7 @@ wrappedBuf.release(); } - File keyFile = File.createTempFile("keyutil_" + fqdn + '_', ".key"); + File keyFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".key", null); keyFile.deleteOnExit(); OutputStream keyOut = new FileOutputStream(keyFile); @@ -267,7 +269,7 @@ wrappedBuf.release(); } - File certFile = File.createTempFile("keyutil_" + fqdn + '_', ".crt"); + File certFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".crt", null); certFile.deleteOnExit(); OutputStream certOut = new FileOutputStream(certFile); --- netty-netty-4.1.13.Final/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java 2021-02-11 09:47:00.069203006 +0100 +++ netty-netty-4.1.13.Final/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java 2021-02-11 09:47:37.369423505 +0100 @@ -47,7 +47,7 @@ FileOutputStream out = null; try { - TMP = File.createTempFile("netty-chunk-", ".tmp"); + TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); TMP.deleteOnExit(); out = new FileOutputStream(TMP); out.write(BYTES); Only in netty-netty-4.1.13.Final: netty-CVE-2021-21290.patch --- netty-netty-4.1.13.Final/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java 2021-02-11 09:47:00.077203053 +0100 +++ netty-netty-4.1.13.Final/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java 2021-02-11 09:47:40.085439560 +0100 @@ -100,7 +100,7 @@ cb.option(ChannelOption.AUTO_READ, autoRead); final int bufferSize = 1024; - final File file = File.createTempFile("netty-", ".tmp"); + final File file = PlatformDependent.createTempFile("netty-", ".tmp", null); file.deleteOnExit(); final FileOutputStream out = new FileOutputStream(file); --- netty-netty-4.1.13.Final/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java 2021-02-11 09:47:00.081203076 +0100 +++ netty-netty-4.1.13.Final/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java 2021-02-11 09:47:40.085439560 +0100 @@ -192,7 +192,7 @@ @Test public void spliceToFile() throws Throwable { EventLoopGroup group = new EpollEventLoopGroup(1); - File file = File.createTempFile("netty-splice", null); + File file = PlatformDependent.createTempFile("netty-splice", null, null); file.deleteOnExit(); SpliceHandler sh = new SpliceHandler(file); --- netty-netty-4.1.13.Final/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java 2021-02-11 09:47:00.081203076 +0100 +++ netty-netty-4.1.13.Final/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java 2021-02-11 09:47:40.085439560 +0100 @@ -17,6 +17,7 @@ import io.netty.channel.unix.DomainSocketAddress; import io.netty.channel.unix.Socket; +import io.netty.util.internal.PlatformDependent; import java.io.File; import java.io.IOException; @@ -26,7 +27,7 @@ try { File file; do { - file = File.createTempFile("NETTY", "UDS"); + file = PlatformDependent.createTempFile("NETTY", "UDS", null); if (!file.delete()) { throw new IOException("failed to delete: " + file); }
