[Git][java-team/netty][master] CVE-2025-59419

Bastien Roucariès (@rouca) gitlab at salsa.debian.org
Tue Nov 4 21:14:04 GMT 2025 


Bastien Roucariès pushed to branch master at Debian Java Maintainers / netty


Commits:
21bb611b by Bastien Roucariès at 2025-11-04T22:13:41+01:00
CVE-2025-59419

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-59419
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+netty (1:4.1.48-11) unstable; urgency=high
+
+  * Team upload
+  * Fix CVE-2025-59419 (Closes: #1118282)
+    SMTP Command Injection Vulnerability Allowing Email Forgery
+    An SMTP Command Injection (CRLF Injection) vulnerability
+    in Netty's SMTP codec allows a remote attacker who can control
+    SMTP command parameters (e.g., an email recipient)
+    to forge arbitrary emails from the trusted server.
+    This bypasses standard email authentication and can
+    be used to impersonate executives and forge high-stakes
+    corporate communications.
+
+ -- Bastien Roucariès <rouca at debian.org>  Tue, 04 Nov 2025 22:13:32 +0100
+
 netty (1:4.1.48-10) unstable; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2025-59419
=====================================
@@ -0,0 +1,187 @@
+From: DepthFirst Disclosures <disclosures at depthfirst.com>
+Date: Tue, 14 Oct 2025 01:41:47 -0700
+Subject: CVE-2025-59419: Merge commit from fork
+
+* Patch 1 of 3
+
+* Patch 2 of 3
+
+* Patch 3 of 3
+
+* Fix indentation style
+
+* Update 2025
+
+* Optimize allocations
+
+* Update codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
+
+Co-authored-by: Chris Vest <christianvest_hansen at apple.com>
+
+---------
+
+Co-authored-by: Norman Maurer <norman_maurer at apple.com>
+Co-authored-by: Chris Vest <christianvest_hansen at apple.com>
+origin: https://github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9
+bug: https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118282
+---
+ .../handler/codec/smtp/DefaultSmtpRequest.java     |  2 +
+ .../io/netty/handler/codec/smtp/SmtpUtils.java     | 44 +++++++++++++
+ .../netty/handler/codec/smtp/SmtpRequestsTest.java | 73 ++++++++++++++++++++++
+ 3 files changed, 119 insertions(+)
+ create mode 100644 codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
+
+diff --git a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
+index 8f4d697..ae6acb4 100644
+--- a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
++++ b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
+@@ -43,6 +43,7 @@ public final class DefaultSmtpRequest implements SmtpRequest {
+      */
+     public DefaultSmtpRequest(SmtpCommand command, CharSequence... parameters) {
+         this.command = ObjectUtil.checkNotNull(command, "command");
++        SmtpUtils.validateSMTPParameters(parameters);
+         this.parameters = SmtpUtils.toUnmodifiableList(parameters);
+     }
+ 
+@@ -55,6 +56,7 @@ public final class DefaultSmtpRequest implements SmtpRequest {
+ 
+     DefaultSmtpRequest(SmtpCommand command, List<CharSequence> parameters) {
+         this.command = ObjectUtil.checkNotNull(command, "command");
++        SmtpUtils.validateSMTPParameters(parameters);
+         this.parameters = parameters != null ?
+                 Collections.unmodifiableList(parameters) : Collections.<CharSequence>emptyList();
+     }
+diff --git a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
+index a2b84ea..6b84dc1 100644
+--- a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
++++ b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
+@@ -28,5 +28,49 @@ final class SmtpUtils {
+         return Collections.unmodifiableList(Arrays.asList(sequences));
+     }
+ 
++    /**
++     * Validates SMTP parameters to prevent SMTP command injection.
++     * Throws IllegalArgumentException if any parameter contains CRLF sequences.
++     */
++    static void validateSMTPParameters(CharSequence... parameters) {
++        if (parameters != null) {
++            for (CharSequence parameter : parameters) {
++                if (parameter != null) {
++                    validateSMTPParameter(parameter);
++                }
++            }
++        }
++    }
++
++    /**
++     * Validates SMTP parameters to prevent SMTP command injection.
++     * Throws IllegalArgumentException if any parameter contains CRLF sequences.
++     */
++    static void validateSMTPParameters(List<CharSequence> parameters) {
++        if (parameters != null) {
++            for (CharSequence parameter : parameters) {
++                if (parameter != null) {
++                    validateSMTPParameter(parameter);
++                }
++            }
++        }
++    }
++
++    private static void validateSMTPParameter(CharSequence parameter) {
++        if (parameter instanceof String) {
++            String paramStr = (String) parameter;
++            if (paramStr.indexOf('\r') != -1 || paramStr.indexOf('\n') != -1) {
++                throw new IllegalArgumentException("SMTP parameter contains CRLF characters: " + parameter);
++            }
++        } else {
++            for (int i = 0; i < parameter.length(); i++) {
++                char c = parameter.charAt(i);
++                if (c == '\r' || c == '\n') {
++                    throw new IllegalArgumentException("SMTP parameter contains CRLF characters: " + parameter);
++                }
++            }
++        }
++    }
++
+     private SmtpUtils() { }
+ }
+diff --git a/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java b/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
+new file mode 100644
+index 0000000..f7b5b6a
+--- /dev/null
++++ b/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
+@@ -0,0 +1,73 @@
++/*
++ * Copyright 2025 The Netty Project
++ *
++ * The Netty Project licenses this file to you under the Apache License,
++ * version 2.0 (the "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at:
++ *
++ *   https://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++ * License for the specific language governing permissions and limitations
++ * under the License.
++ */
++package io.netty.handler.codec.smtp;
++
++import org.junit.jupiter.api.Test;
++import org.junit.jupiter.api.function.Executable;
++
++import static org.junit.jupiter.api.Assertions.assertThrows;
++
++public class SmtpRequestsTest {
++    @Test
++    public void testSmtpInjectionWithCarriageReturn() {
++        assertThrows(IllegalArgumentException.class, new Executable() {
++            @Override
++            public void execute() {
++                SmtpRequests.mail("test at example.com\rQUIT");
++            }
++        });
++    }
++
++    @Test
++    public void testSmtpInjectionWithLineFeed() {
++        assertThrows(IllegalArgumentException.class, new Executable() {
++            @Override
++            public void execute() {
++                SmtpRequests.mail("test at example.com\nQUIT");
++            }
++        });
++    }
++
++    @Test
++    public void testSmtpInjectionWithCRLF() {
++        assertThrows(IllegalArgumentException.class, new Executable() {
++            @Override
++            public void execute() {
++                SmtpRequests.rcpt("test at example.com\r\nQUIT");
++            }
++        });
++    }
++
++    @Test
++    public void testSmtpInjectionInAuthParameter() {
++        assertThrows(IllegalArgumentException.class, new Executable() {
++            @Override
++            public void execute() {
++                SmtpRequests.auth("PLAIN", "dGVzdA\rQUIT");
++            }
++        });
++    }
++
++    @Test
++    public void testSmtpInjectionInHelo() {
++        assertThrows(IllegalArgumentException.class, new Executable() {
++            @Override
++            public void execute() {
++                SmtpRequests.helo("localhost\r\nQUIT");
++            }
++        });
++    }
++}


=====================================
debian/patches/series
=====================================
@@ -25,3 +25,4 @@ CVE-2023-34462.patch
 CVE-2023-44487.patch
 22-java-21.patch
 CVE-2024-29025.patch
+CVE-2025-59419



View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/21bb611be31f812f00710eb3626634b84c7605ea

-- 
View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/21bb611be31f812f00710eb3626634b84c7605ea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20251104/abb0575d/attachment.htm>

More information about the pkg-java-commits mailing list