Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netty3 for openSUSE:Factory checked in at 2024-07-04 16:27:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netty3 (Old) and /work/SRC/openSUSE:Factory/.netty3.new.2080 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netty3" Thu Jul 4 16:27:47 2024 rev:17 rq:1185373 version:3.10.6 Changes: -------- --- /work/SRC/openSUSE:Factory/netty3/netty3.changes 2024-02-21 18:00:42.980633956 +0100 +++ /work/SRC/openSUSE:Factory/.netty3.new.2080/netty3.changes 2024-07-04 16:28:39.307298889 +0200 @@ -1,0 +2,7 @@ +Thu Jul 4 10:46:24 UTC 2024 - Fridrich Strba <[email protected]> + +- Added patch: + * netty3-CVE-2024-29025.patch + + backport upstream fix for bsc#1222045, CVE-2024-29025 + +------------------------------------------------------------------- New: ---- netty3-CVE-2024-29025.patch BETA DEBUG BEGIN: New:- Added patch: * netty3-CVE-2024-29025.patch + backport upstream fix for bsc#1222045, CVE-2024-29025 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netty3.spec ++++++ --- /var/tmp/diff_new_pack.SX3mk8/_old 2024-07-04 16:28:39.995324004 +0200 +++ /var/tmp/diff_new_pack.SX3mk8/_new 2024-07-04 16:28:39.999324151 +0200 @@ -30,6 +30,7 @@ Patch1: disableNPN.patch Patch2: x509certificate.patch Patch3: netty3-CVE-2021-43797.patch +Patch4: netty3-CVE-2024-29025.patch BuildRequires: fdupes BuildRequires: java-devel >= 1.8 BuildRequires: maven-local @@ -132,6 +133,8 @@ %patch -P 3 -p1 +%patch -P 4 -p1 + # adapting to excluded dep rm -v src/main/java/org/jboss/netty/handler/ssl/JettyNpnSslEngine.java ++++++ netty3-CVE-2024-29025.patch ++++++ --- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 +++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java 2024-07-04 12:42:30.682137342 +0200 @@ -53,6 +53,16 @@ private final HttpRequest request; /** + * The maximum number of fields allows by the form + */ + private final int maxFields; + + /** + * The maximum number of accumulated bytes when decoding a field + */ + private final int maxBufferedBytes; + + /** * Default charset to use */ private Charset charset; @@ -147,6 +157,23 @@ */ public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset) throws ErrorDataDecoderException { + this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); + } + + /** + * + * @param factory the factory used to create InterfaceHttpData + * @param request the request to decode + * @param charset the charset to use as default + * @param maxFields + * the maximum number of fields the form can have, {@code -1} to disable + * @param maxBufferedBytes + * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable + * @throws NullPointerException for request or charset or factory + * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors + */ + public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request, + Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { if (factory == null) { throw new NullPointerException("factory"); } @@ -159,6 +186,8 @@ this.request = request; this.charset = charset; this.factory = factory; + this.maxFields = maxFields; + this.maxBufferedBytes = maxBufferedBytes; // Fill default values setMultipart(this.request.headers().get(HttpHeaders.Names.CONTENT_TYPE)); if (!this.request.isChunked()) { @@ -230,6 +259,9 @@ isLastChunk = true; } parseBody(); + if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) { + throw new ErrorDataDecoderException(); + } } public boolean hasNext() throws EndOfDataDecoderException { @@ -268,10 +300,13 @@ /** * Utility function to add a new decoded data */ - private void addHttpData(InterfaceHttpData data) { + private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException { if (data == null) { return; } + if (maxFields > 0 && bodyListHttpData.size() >= maxFields) { + throw new ErrorDataDecoderException(); + } List<InterfaceHttpData> datas = bodyMapHttpData.get(data.getName()); if (datas == null) { datas = new ArrayList<InterfaceHttpData>(1); --- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 +++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java 2024-07-04 12:27:23.372964684 +0200 @@ -28,6 +28,11 @@ * This decoder will decode Body and can handle POST BODY (both multipart and standard). */ public class HttpPostRequestDecoder implements InterfaceHttpPostRequestDecoder { + + static final int DEFAULT_MAX_FIELDS = 128; + + static final int DEFAULT_MAX_BUFFERED_BYTES = 1024; + /** * Does this request is a Multipart request */ @@ -58,6 +63,25 @@ /** * + * @param request + * the request to decode + * @param maxFields + * the maximum number of fields the form can have, {@code -1} to disable + * @param maxBufferedBytes + * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable + * @throws NullPointerException + * for request + * @throws ErrorDataDecoderException + * if the default charset was wrong when decoding or other + * errors + */ + public HttpPostRequestDecoder(HttpRequest request, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { + this(new DefaultHttpDataFactory(DefaultHttpDataFactory.MINSIZE), request, HttpConstants.DEFAULT_CHARSET, + maxFields, maxBufferedBytes); + } + + /** + * * @param factory the factory used to create InterfaceHttpData * @param request the request to decode * @param charset the charset to use as default @@ -66,6 +90,23 @@ */ public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset) throws ErrorDataDecoderException { + this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, + HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); + } + + /** + * + * @param factory the factory used to create InterfaceHttpData + * @param request the request to decode + * @param charset the charset to use as default + * @param maxFields the maximum number of fields the form can have, {@code -1} to disable + * @param maxBufferedBytes + * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable + * @throws NullPointerException for request or charset or factory + * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors + */ + public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset, + int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { if (factory == null) { throw new NullPointerException("factory"); } @@ -77,9 +118,9 @@ } // Fill default values if (isMultipart(request)) { - decoder = new HttpPostMultipartRequestDecoder(factory, request, charset); + decoder = new HttpPostMultipartRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes); } else { - decoder = new HttpPostStandardRequestDecoder(factory, request, charset); + decoder = new HttpPostStandardRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes); } } --- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 +++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java 2024-07-04 12:39:27.134939191 +0200 @@ -57,6 +57,16 @@ private final Charset charset; /** + * The maximum number of fields allows by the form + */ + private final int maxFields; + + /** + * The maximum number of accumulated bytes when decoding a field + */ + private final int maxBufferedBytes; + + /** * Does the last chunk already received */ private boolean isLastChunk; @@ -125,6 +135,21 @@ */ public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset) throws ErrorDataDecoderException { + this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); + } + + /** + * + * @param factory the factory used to create InterfaceHttpData + * @param request the request to decode + * @param charset the charset to use as default + * @param maxFields the maximum number of fields the form can have, {@code -1} to disable + * @param maxBufferedBytes the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable + * @throws NullPointerException for request or charset or factory + * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors + */ + public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request, + Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { if (factory == null) { throw new NullPointerException("factory"); } @@ -137,6 +162,8 @@ this.request = request; this.charset = charset; this.factory = factory; + this.maxFields = maxFields; + this.maxBufferedBytes = maxBufferedBytes; if (!this.request.isChunked()) { undecodedChunk = this.request.getContent(); isLastChunk = true; @@ -190,6 +217,9 @@ isLastChunk = true; } parseBody(); + if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) { + throw new ErrorDataDecoderException(); + } } public boolean hasNext() throws EndOfDataDecoderException { @@ -228,10 +258,13 @@ /** * Utility function to add a new decoded data */ - private void addHttpData(InterfaceHttpData data) { + private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException { if (data == null) { return; } + if (maxFields > 0 && bodyListHttpData.size() >= maxFields) { + throw new ErrorDataDecoderException(); + } List<InterfaceHttpData> datas = bodyMapHttpData.get(data.getName()); if (datas == null) { datas = new ArrayList<InterfaceHttpData>(1);
