Bug#1010693: netty: CVE-2022-24823

[Salvatore Bonaccorso]

Source: netty
Version: 1:4.1.48-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for netty.

CVE-2022-24823[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework. The package `io.netty:netty-codec-http` prior to version
| 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When
| Netty's multipart decoders are used local information disclosure can
| occur via the local system temporary directory if temporary storing
| uploads on the disk is enabled. This only impacts applications running
| on Java version 6 and lower. Additionally, this vulnerability impacts
| code running on Unix-like systems, and very old versions of Mac OSX
| and Windows as they all share the system temporary directory between
| all users. Version 4.1.77.Final contains a patch for this
| vulnerability. As a workaround, specify one's own `java.io.tmpdir`
| when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to
| set the directory to something that is only readable by the current
| user.

Note as far I understand the insufficient fix impacts only netty in
combination with Java versions 6 and lower, so not of practical impact
for the supported suites. That said, there is likely not action to be
taken directly for the versions in Debian, and just can be closed once
the commit [2] lands in the version.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24823
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
[1] https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
[2] https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1

Regards,
Salvatore