[Git][java-team/netty][master] Add CVE-2025-58056

Sun Nov 9 14:52:51 GMT 2025


Bastien Roucariès pushed to branch master at Debian Java Maintainers / netty


Commits:
7cd9cf15 by Bastien Roucariès at 2025-11-09T14:50:15+01:00
Add CVE-2025-58056

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-58056.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -7,6 +7,14 @@ netty (1:4.1.48-11) unstable; urgency=high
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
+  * Fix CVE-2025-58056 (Closes: #1113994)
+    when supplied with specially crafted input, BrotliDecoder and
+    certain other decompression decoders will allocate a large
+    number of reachable byte buffers, which can lead to
+    denial of service. BrotliDecoder.decompress has
+    no limit in how often it calls pull, decompressing
+    data 64K bytes at a time. The buffers are saved in
+    the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
@@ -17,7 +25,7 @@ netty (1:4.1.48-11) unstable; urgency=high
     be used to impersonate executives and forge high-stakes
     corporate communications.
 
- -- Bastien Roucariès <rouca at debian.org>  Tue, 04 Nov 2025 22:13:32 +0100
+ -- Bastien Roucariès <rouca at debian.org>  Sun, 09 Nov 2025 14:50:03 +0100
 
 netty (1:4.1.48-10) unstable; urgency=high
 


=====================================
debian/patches/CVE-2025-58056.patch
=====================================
@@ -0,0 +1,111 @@
+From: Norman Maurer <norman_maurer at apple.com>
+Date: Wed, 3 Sep 2025 10:35:05 +0200
+Subject: Merge commit from fork (#15612)
+
+Motivation:
+
+We should ensure our decompressing decoders will fire their buffers
+through the pipeliner as fast as possible and so allow the user to take
+ownership of these as fast as possible. This is needed to reduce the
+risk of OOME as otherwise a small input might produce a large amount of
+data that can't be processed until all the data was decompressed in a
+loop. Beside this we also should ensure that other handlers that uses
+these decompressors will not buffer all of the produced data before
+processing it, which was true for HTTP and HTTP2.
+
+Modifications:
+
+- Adjust affected decoders (Brotli, Zstd and ZLib) to fire buffers
+  through the pipeline as soon as possible
+- Adjust HTTP / HTTP2 decompressors to do the same
+- Add testcase.
+
+Result:
+
+Less risk of OOME when doing decompressing
+
+Co-authored-by: yawkat <jonas.konrad at oracle.com>
+origin: backport, https://github.com/netty/netty/commit/39d3ecf8f0c57a7469ba927b2163d4cb4314b138
+bug: https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113994
+---
+ .../codec/compression/JZlibIntegrationTest.java    | 31 ++++++++++++++++++++++
+ .../codec/compression/JdkZlibIntegrationTest.java  | 31 ++++++++++++++++++++++
+ 2 files changed, 62 insertions(+)
+ create mode 100644 codec/src/test/java/io/netty/handler/codec/compression/JZlibIntegrationTest.java
+ create mode 100644 codec/src/test/java/io/netty/handler/codec/compression/JdkZlibIntegrationTest.java
+
+diff --git a/codec/src/test/java/io/netty/handler/codec/compression/JZlibIntegrationTest.java b/codec/src/test/java/io/netty/handler/codec/compression/JZlibIntegrationTest.java
+new file mode 100644
+index 0000000..252f134
+--- /dev/null
++++ b/codec/src/test/java/io/netty/handler/codec/compression/JZlibIntegrationTest.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright 2014 The Netty Project
++ *
++ * The Netty Project licenses this file to you under the Apache License,
++ * version 2.0 (the "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at:
++ *
++ *   https://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++ * License for the specific language governing permissions and limitations
++ * under the License.
++ */
++package io.netty.handler.codec.compression;
++
++import io.netty.channel.embedded.EmbeddedChannel;
++
++public class JZlibIntegrationTest extends AbstractIntegrationTest {
++
++    @Override
++    protected EmbeddedChannel createEncoder() {
++        return new EmbeddedChannel(new JZlibEncoder());
++    }
++
++    @Override
++    protected EmbeddedChannel createDecoder() {
++        return new EmbeddedChannel(new JZlibDecoder(0));
++    }
++}
+diff --git a/codec/src/test/java/io/netty/handler/codec/compression/JdkZlibIntegrationTest.java b/codec/src/test/java/io/netty/handler/codec/compression/JdkZlibIntegrationTest.java
+new file mode 100644
+index 0000000..6dca41d
+--- /dev/null
++++ b/codec/src/test/java/io/netty/handler/codec/compression/JdkZlibIntegrationTest.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright 2014 The Netty Project
++ *
++ * The Netty Project licenses this file to you under the Apache License,
++ * version 2.0 (the "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at:
++ *
++ *   https://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++ * License for the specific language governing permissions and limitations
++ * under the License.
++ */
++package io.netty.handler.codec.compression;
++
++import io.netty.channel.embedded.EmbeddedChannel;
++
++public class JdkZlibIntegrationTest extends AbstractIntegrationTest {
++
++    @Override
++    protected EmbeddedChannel createEncoder() {
++        return new EmbeddedChannel(new JdkZlibEncoder());
++    }
++
++    @Override
++    protected EmbeddedChannel createDecoder() {
++        return new EmbeddedChannel(new JdkZlibDecoder(0));
++    }
++}


=====================================
debian/patches/series
=====================================
@@ -29,3 +29,4 @@ CVE-2025-59419
 CVE-2025-55163_before-1.patch
 CVE-2025-55163_1.patch
 CVE-2025-55163_2.patch
+CVE-2025-58056.patch



View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/7cd9cf15953a64867e77fff741284768dc77a663

-- 
View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/7cd9cf15953a64867e77fff741284768dc77a663
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20251109/2c54230b/attachment.htm>
