[Git][java-team/netty][master] 5 commits: Add CVE-2021-21290.patch
Markus Koschany
gitlab at salsa.debian.org
Sun Feb 14 23:29:39 GMT 2021
Markus Koschany pushed to branch master at Debian Java Maintainers / netty
Commits:
723bddf8 by Markus Koschany at 2021-02-12T23:26:18+01:00
Add CVE-2021-21290.patch
- - - - -
c88ccaae by Markus Koschany at 2021-02-15T00:11:43+01:00
Update patch header
- - - - -
fa483dde by Markus Koschany at 2021-02-15T00:11:56+01:00
Switch to debhelper-compat = 13.
- - - - -
e5575b05 by Markus Koschany at 2021-02-15T00:12:09+01:00
Declare compliance with Debian Policy 4.5.1.
- - - - -
06a35735 by Markus Koschany at 2021-02-15T00:20:41+01:00
Update changelog
- - - - -
4 changed files:
- debian/changelog
- debian/control
- + debian/patches/CVE-2021-21290.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,20 @@
+netty (1:4.1.48-2) unstable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2021-21290:
+ In Netty there is a vulnerability on Unix-like systems involving an
+ insecure temp file. When netty's multipart decoders are used local
+ information disclosure can occur via the local system temporary directory
+ if temporary storing uploads on the disk is enabled. On unix-like systems,
+ the temporary directory is shared between all user. As such, writing to
+ this directory using APIs that do not explicitly set the file/directory
+ permissions can lead to information disclosure. Thanks to Salvatore
+ Bonaccorso for the report. (Closes: #982580)
+ * Switch to debhelper-compat = 13.
+ * Declare compliance with Debian Policy 4.5.1.
+
+ -- Markus Koschany <apo at debian.org> Mon, 15 Feb 2021 00:17:55 +0100
+
netty (1:4.1.48-1) unstable; urgency=medium
* Team upload.
=====================================
debian/control
=====================================
@@ -9,7 +9,7 @@ Uploaders:
Build-Depends:
ant,
ant-contrib (>= 1.0~b3+svn177-8~),
- debhelper-compat (= 12),
+ debhelper-compat (= 13),
default-jdk,
groovy,
libbcpkix-java,
@@ -29,7 +29,7 @@ Build-Depends:
libprotobuf-java,
libxz-java,
maven-debian-helper (>= 1.5)
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
Vcs-Git: https://salsa.debian.org/java-team/netty.git
Vcs-Browser: https://salsa.debian.org/java-team/netty
Homepage: http://netty.io/
=====================================
debian/patches/CVE-2021-21290.patch
=====================================
@@ -0,0 +1,287 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 12 Feb 2021 23:25:46 +0100
+Subject: CVE-2021-21290
+
+Bugs-Debian: https://bugs.debian.org/982580
+Origin: https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
+---
+ .../java/io/netty/buffer/AbstractByteBufTest.java | 4 ++--
+ .../netty/buffer/ReadOnlyDirectByteBufferBufTest.java | 2 +-
+ .../codec/http/multipart/AbstractDiskHttpData.java | 5 +++--
+ .../handler/codec/http/HttpChunkedInputTest.java | 3 ++-
+ .../io/netty/util/internal/NativeLibraryLoader.java | 2 +-
+ .../io/netty/util/internal/PlatformDependent.java | 19 +++++++++++++++++++
+ .../netty/handler/ssl/util/SelfSignedCertificate.java | 6 ++++--
+ .../netty/handler/stream/ChunkedWriteHandlerTest.java | 3 ++-
+ .../transport/socket/SocketFileRegionTest.java | 4 ++--
+ .../java/io/netty/channel/epoll/EpollSpliceTest.java | 3 ++-
+ .../io/netty/channel/unix/tests/UnixTestUtils.java | 3 ++-
+ .../java/io/netty/channel/DefaultFileRegionTest.java | 2 +-
+ 12 files changed, 41 insertions(+), 15 deletions(-)
+
+diff --git a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java
+index a3a1347..96d6961 100644
+--- a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java
++++ b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java
+@@ -4521,7 +4521,7 @@ public abstract class AbstractByteBufTest {
+
+ @Test
+ public void testReadBytesAndWriteBytesWithFileChannel() throws IOException {
+- File file = File.createTempFile("file-channel", ".tmp");
++ File file = PlatformDependent.createTempFile("file-channel", ".tmp", null);
+ RandomAccessFile randomAccessFile = null;
+ try {
+ randomAccessFile = new RandomAccessFile(file, "rw");
+@@ -4564,7 +4564,7 @@ public abstract class AbstractByteBufTest {
+
+ @Test
+ public void testGetBytesAndSetBytesWithFileChannel() throws IOException {
+- File file = File.createTempFile("file-channel", ".tmp");
++ File file = PlatformDependent.createTempFile("file-channel", ".tmp", null);
+ RandomAccessFile randomAccessFile = null;
+ try {
+ randomAccessFile = new RandomAccessFile(file, "rw");
+diff --git a/buffer/src/test/java/io/netty/buffer/ReadOnlyDirectByteBufferBufTest.java b/buffer/src/test/java/io/netty/buffer/ReadOnlyDirectByteBufferBufTest.java
+index 1e88bda..e702e39 100644
+--- a/buffer/src/test/java/io/netty/buffer/ReadOnlyDirectByteBufferBufTest.java
++++ b/buffer/src/test/java/io/netty/buffer/ReadOnlyDirectByteBufferBufTest.java
+@@ -306,7 +306,7 @@ public class ReadOnlyDirectByteBufferBufTest {
+
+ @Test
+ public void testWrapMemoryMapped() throws Exception {
+- File file = File.createTempFile("netty-test", "tmp");
++ File file = PlatformDependent.createTempFile("netty-test", "tmp", null);
+ FileChannel output = null;
+ FileChannel input = null;
+ ByteBuf b1 = null;
+diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java
+index 71357a1..36d687e 100644
+--- a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java
++++ b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java
+@@ -19,6 +19,7 @@ import io.netty.buffer.ByteBuf;
+ import io.netty.handler.codec.http.HttpConstants;
+ import io.netty.util.internal.EmptyArrays;
+ import io.netty.util.internal.ObjectUtil;
++import io.netty.util.internal.PlatformDependent;
+ import io.netty.util.internal.logging.InternalLogger;
+ import io.netty.util.internal.logging.InternalLoggerFactory;
+
+@@ -87,9 +88,9 @@ public abstract class AbstractDiskHttpData extends AbstractHttpData {
+ File tmpFile;
+ if (getBaseDirectory() == null) {
+ // create a temporary file
+- tmpFile = File.createTempFile(getPrefix(), newpostfix);
++ tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, null);
+ } else {
+- tmpFile = File.createTempFile(getPrefix(), newpostfix, new File(
++ tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, new File(
+ getBaseDirectory()));
+ }
+ if (deleteOnExit()) {
+diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java
+index 002c8d0..8e75eb9 100644
+--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java
++++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java
+@@ -25,6 +25,7 @@ import io.netty.handler.stream.ChunkedNioFile;
+ import io.netty.handler.stream.ChunkedNioStream;
+ import io.netty.handler.stream.ChunkedStream;
+ import io.netty.handler.stream.ChunkedWriteHandler;
++import io.netty.util.internal.PlatformDependent;
+ import org.junit.Test;
+
+ import java.io.ByteArrayInputStream;
+@@ -46,7 +47,7 @@ public class HttpChunkedInputTest {
+
+ FileOutputStream out = null;
+ try {
+- TMP = File.createTempFile("netty-chunk-", ".tmp");
++ TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null);
+ TMP.deleteOnExit();
+ out = new FileOutputStream(TMP);
+ out.write(BYTES);
+diff --git a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java
+index b059446..99e6829 100644
+--- a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java
++++ b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java
+@@ -182,7 +182,7 @@ public final class NativeLibraryLoader {
+ String prefix = libname.substring(0, index);
+ String suffix = libname.substring(index);
+
+- tmpFile = File.createTempFile(prefix, suffix, WORKDIR);
++ tmpFile = PlatformDependent.createTempFile(prefix, suffix, WORKDIR);
+ in = url.openStream();
+ out = new FileOutputStream(tmpFile);
+
+diff --git a/common/src/main/java/io/netty/util/internal/PlatformDependent.java b/common/src/main/java/io/netty/util/internal/PlatformDependent.java
+index 80808ed..eb0070d 100644
+--- a/common/src/main/java/io/netty/util/internal/PlatformDependent.java
++++ b/common/src/main/java/io/netty/util/internal/PlatformDependent.java
+@@ -38,6 +38,7 @@ import java.lang.reflect.Field;
+ import java.lang.reflect.Method;
+ import java.nio.ByteBuffer;
+ import java.nio.ByteOrder;
++import java.nio.file.Files;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+ import java.util.Arrays;
+@@ -1354,6 +1355,24 @@ public final class PlatformDependent {
+ return LINUX_OS_CLASSIFIERS;
+ }
+
++ @SuppressJava6Requirement(reason = "Guarded by version check")
++ public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
++ if (javaVersion() >= 7) {
++ if (directory == null) {
++ return Files.createTempFile(prefix, suffix).toFile();
++ }
++ return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
++ }
++ if (directory == null) {
++ return File.createTempFile(prefix, suffix);
++ }
++ File file = File.createTempFile(prefix, suffix, directory);
++ // Try to adjust the perms, if this fails there is not much else we can do...
++ file.setReadable(false, false);
++ file.setReadable(true, true);
++ return file;
++ }
++
+ /**
+ * Adds only those classifier strings to <tt>dest</tt> which are present in <tt>allowed</tt>.
+ *
+diff --git a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java
+index c0b8467..fff77f7 100644
+--- a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java
++++ b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java
+@@ -20,6 +20,7 @@ import io.netty.buffer.ByteBuf;
+ import io.netty.buffer.Unpooled;
+ import io.netty.handler.codec.base64.Base64;
+ import io.netty.util.CharsetUtil;
++import io.netty.util.internal.PlatformDependent;
+ import io.netty.util.internal.SystemPropertyUtil;
+ import io.netty.util.internal.ThrowableUtil;
+ import io.netty.util.internal.logging.InternalLogger;
+@@ -30,6 +31,7 @@ import java.io.FileInputStream;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.OutputStream;
++import java.nio.file.Files;
+ import java.security.KeyPair;
+ import java.security.KeyPairGenerator;
+ import java.security.NoSuchAlgorithmException;
+@@ -248,7 +250,7 @@ public final class SelfSignedCertificate {
+ wrappedBuf.release();
+ }
+
+- File keyFile = File.createTempFile("keyutil_" + fqdn + '_', ".key");
++ File keyFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".key", null);
+ keyFile.deleteOnExit();
+
+ OutputStream keyOut = new FileOutputStream(keyFile);
+@@ -279,7 +281,7 @@ public final class SelfSignedCertificate {
+ wrappedBuf.release();
+ }
+
+- File certFile = File.createTempFile("keyutil_" + fqdn + '_', ".crt");
++ File certFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".crt", null);
+ certFile.deleteOnExit();
+
+ OutputStream certOut = new FileOutputStream(certFile);
+diff --git a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java
+index 7d08feb..2804ea2 100644
+--- a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java
++++ b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java
+@@ -26,6 +26,7 @@ import io.netty.channel.ChannelPromise;
+ import io.netty.channel.embedded.EmbeddedChannel;
+ import io.netty.util.CharsetUtil;
+ import io.netty.util.ReferenceCountUtil;
++import io.netty.util.internal.PlatformDependent;
+ import org.junit.Assert;
+ import org.junit.Test;
+
+@@ -55,7 +56,7 @@ public class ChunkedWriteHandlerTest {
+
+ FileOutputStream out = null;
+ try {
+- TMP = File.createTempFile("netty-chunk-", ".tmp");
++ TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null);
+ TMP.deleteOnExit();
+ out = new FileOutputStream(TMP);
+ out.write(BYTES);
+diff --git a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java
+index ae85825..e3da436 100644
+--- a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java
++++ b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java
+@@ -101,7 +101,7 @@ public class SocketFileRegionTest extends AbstractSocketTest {
+ }
+
+ public void testFileRegionCountLargerThenFile(ServerBootstrap sb, Bootstrap cb) throws Throwable {
+- File file = File.createTempFile("netty-", ".tmp");
++ File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
+ file.deleteOnExit();
+
+ final FileOutputStream out = new FileOutputStream(file);
+@@ -135,7 +135,7 @@ public class SocketFileRegionTest extends AbstractSocketTest {
+ cb.option(ChannelOption.AUTO_READ, autoRead);
+
+ final int bufferSize = 1024;
+- final File file = File.createTempFile("netty-", ".tmp");
++ final File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
+ file.deleteOnExit();
+
+ final FileOutputStream out = new FileOutputStream(file);
+diff --git a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java
+index a8d9d72..21515b5 100644
+--- a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java
++++ b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java
+@@ -28,6 +28,7 @@ import io.netty.channel.EventLoopGroup;
+ import io.netty.channel.SimpleChannelInboundHandler;
+ import io.netty.channel.unix.FileDescriptor;
+ import io.netty.util.NetUtil;
++import io.netty.util.internal.PlatformDependent;
+ import org.junit.Assert;
+ import org.junit.Test;
+
+@@ -192,7 +193,7 @@ public class EpollSpliceTest {
+ @Test(timeout = 10000)
+ public void spliceToFile() throws Throwable {
+ EventLoopGroup group = new EpollEventLoopGroup(1);
+- File file = File.createTempFile("netty-splice", null);
++ File file = PlatformDependent.createTempFile("netty-splice", null, null);
+ file.deleteOnExit();
+
+ SpliceHandler sh = new SpliceHandler(file);
+diff --git a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java
+index e4ebcb4..6124ec1 100644
+--- a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java
++++ b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java
+@@ -17,6 +17,7 @@ package io.netty.channel.unix.tests;
+
+ import io.netty.channel.unix.DomainSocketAddress;
+ import io.netty.channel.unix.Socket;
++import io.netty.util.internal.PlatformDependent;
+
+ import java.io.File;
+ import java.io.IOException;
+@@ -26,7 +27,7 @@ public final class UnixTestUtils {
+ try {
+ File file;
+ do {
+- file = File.createTempFile("NETTY", "UDS");
++ file = PlatformDependent.createTempFile("NETTY", "UDS", null);
+ if (!file.delete()) {
+ throw new IOException("failed to delete: " + file);
+ }
+diff --git a/transport/src/test/java/io/netty/channel/DefaultFileRegionTest.java b/transport/src/test/java/io/netty/channel/DefaultFileRegionTest.java
+index e416bcc..b760909 100644
+--- a/transport/src/test/java/io/netty/channel/DefaultFileRegionTest.java
++++ b/transport/src/test/java/io/netty/channel/DefaultFileRegionTest.java
+@@ -39,7 +39,7 @@ public class DefaultFileRegionTest {
+ }
+
+ private static File newFile() throws IOException {
+- File file = File.createTempFile("netty-", ".tmp");
++ File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
+ file.deleteOnExit();
+
+ final FileOutputStream out = new FileOutputStream(file);
=====================================
debian/patches/series
=====================================
@@ -12,3 +12,4 @@
15-disable-Werror.patch
16-disable-substratevm-support.patch
17-disable-blockhound-integration.patch
+CVE-2021-21290.patch
View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/61a603000656f994b19c7ea79816bd4b29d3f9a6...06a357352ad77107bc679e971dfd715abc3d95cc
--
View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/61a603000656f994b19c7ea79816bd4b29d3f9a6...06a357352ad77107bc679e971dfd715abc3d95cc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210214/11a036b5/attachment.html>
More information about the pkg-java-commits
mailing list