diff --git a/CVE-2024-29025.patch b/CVE-2024-29025.patch new file mode 100644 index 0000000000000000000000000000000000000000..10ce4fc12bf4f1590710b8839a09e3ca409effd1 --- /dev/null +++ b/CVE-2024-29025.patch @@ -0,0 +1,230 @@ +Origin: https://build.opensuse.org/projects/openSUSE:Factory/packages/netty3/files/netty3-CVE-2024-29025.patch + +--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 ++++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java 2024-07-04 12:42:30.682137342 +0200 +@@ -53,6 +53,16 @@ + private final HttpRequest request; + + /** ++ * The maximum number of fields allows by the form ++ */ ++ private final int maxFields; ++ ++ /** ++ * The maximum number of accumulated bytes when decoding a field ++ */ ++ private final int maxBufferedBytes; ++ ++ /** + * Default charset to use + */ + private Charset charset; +@@ -147,6 +157,23 @@ + */ + public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request, + Charset charset) throws ErrorDataDecoderException { ++ this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); ++ } ++ ++ /** ++ * ++ * @param factory the factory used to create InterfaceHttpData ++ * @param request the request to decode ++ * @param charset the charset to use as default ++ * @param maxFields ++ * the maximum number of fields the form can have, {@code -1} to disable ++ * @param maxBufferedBytes ++ * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable ++ * @throws NullPointerException for request or charset or factory ++ * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors ++ */ ++ public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request, ++ Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { + if (factory == null) { + throw new NullPointerException("factory"); + } +@@ -159,6 +186,8 @@ + this.request = request; + this.charset = charset; + this.factory = factory; ++ this.maxFields = maxFields; ++ this.maxBufferedBytes = maxBufferedBytes; + // Fill default values + setMultipart(this.request.headers().get(HttpHeaders.Names.CONTENT_TYPE)); + if (!this.request.isChunked()) { +@@ -230,6 +259,9 @@ + isLastChunk = true; + } + parseBody(); ++ if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) { ++ throw new ErrorDataDecoderException(); ++ } + } + + public boolean hasNext() throws EndOfDataDecoderException { +@@ -268,10 +300,13 @@ + /** + * Utility function to add a new decoded data + */ +- private void addHttpData(InterfaceHttpData data) { ++ private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException { + if (data == null) { + return; + } ++ if (maxFields > 0 && bodyListHttpData.size() >= maxFields) { ++ throw new ErrorDataDecoderException(); ++ } + List datas = bodyMapHttpData.get(data.getName()); + if (datas == null) { + datas = new ArrayList(1); +--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 ++++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java 2024-07-04 12:27:23.372964684 +0200 +@@ -28,6 +28,11 @@ + * This decoder will decode Body and can handle POST BODY (both multipart and standard). + */ + public class HttpPostRequestDecoder implements InterfaceHttpPostRequestDecoder { ++ ++ static final int DEFAULT_MAX_FIELDS = 128; ++ ++ static final int DEFAULT_MAX_BUFFERED_BYTES = 1024; ++ + /** + * Does this request is a Multipart request + */ +@@ -58,6 +63,25 @@ + + /** + * ++ * @param request ++ * the request to decode ++ * @param maxFields ++ * the maximum number of fields the form can have, {@code -1} to disable ++ * @param maxBufferedBytes ++ * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable ++ * @throws NullPointerException ++ * for request ++ * @throws ErrorDataDecoderException ++ * if the default charset was wrong when decoding or other ++ * errors ++ */ ++ public HttpPostRequestDecoder(HttpRequest request, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { ++ this(new DefaultHttpDataFactory(DefaultHttpDataFactory.MINSIZE), request, HttpConstants.DEFAULT_CHARSET, ++ maxFields, maxBufferedBytes); ++ } ++ ++ /** ++ * + * @param factory the factory used to create InterfaceHttpData + * @param request the request to decode + * @param charset the charset to use as default +@@ -66,6 +90,23 @@ + */ + public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request, + Charset charset) throws ErrorDataDecoderException { ++ this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, ++ HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); ++ } ++ ++ /** ++ * ++ * @param factory the factory used to create InterfaceHttpData ++ * @param request the request to decode ++ * @param charset the charset to use as default ++ * @param maxFields the maximum number of fields the form can have, {@code -1} to disable ++ * @param maxBufferedBytes ++ * the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable ++ * @throws NullPointerException for request or charset or factory ++ * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors ++ */ ++ public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset, ++ int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { + if (factory == null) { + throw new NullPointerException("factory"); + } +@@ -77,9 +118,9 @@ + } + // Fill default values + if (isMultipart(request)) { +- decoder = new HttpPostMultipartRequestDecoder(factory, request, charset); ++ decoder = new HttpPostMultipartRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes); + } else { +- decoder = new HttpPostStandardRequestDecoder(factory, request, charset); ++ decoder = new HttpPostStandardRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes); + } + } + +--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java 2016-06-29 14:41:47.000000000 +0200 ++++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java 2024-07-04 12:39:27.134939191 +0200 +@@ -57,6 +57,16 @@ + private final Charset charset; + + /** ++ * The maximum number of fields allows by the form ++ */ ++ private final int maxFields; ++ ++ /** ++ * The maximum number of accumulated bytes when decoding a field ++ */ ++ private final int maxBufferedBytes; ++ ++ /** + * Does the last chunk already received + */ + private boolean isLastChunk; +@@ -125,6 +135,21 @@ + */ + public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request, + Charset charset) throws ErrorDataDecoderException { ++ this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES); ++ } ++ ++ /** ++ * ++ * @param factory the factory used to create InterfaceHttpData ++ * @param request the request to decode ++ * @param charset the charset to use as default ++ * @param maxFields the maximum number of fields the form can have, {@code -1} to disable ++ * @param maxBufferedBytes the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable ++ * @throws NullPointerException for request or charset or factory ++ * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors ++ */ ++ public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request, ++ Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException { + if (factory == null) { + throw new NullPointerException("factory"); + } +@@ -137,6 +162,8 @@ + this.request = request; + this.charset = charset; + this.factory = factory; ++ this.maxFields = maxFields; ++ this.maxBufferedBytes = maxBufferedBytes; + if (!this.request.isChunked()) { + undecodedChunk = this.request.getContent(); + isLastChunk = true; +@@ -190,6 +217,9 @@ + isLastChunk = true; + } + parseBody(); ++ if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) { ++ throw new ErrorDataDecoderException(); ++ } + } + + public boolean hasNext() throws EndOfDataDecoderException { +@@ -228,10 +258,13 @@ + /** + * Utility function to add a new decoded data + */ +- private void addHttpData(InterfaceHttpData data) { ++ private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException { + if (data == null) { + return; + } ++ if (maxFields > 0 && bodyListHttpData.size() >= maxFields) { ++ throw new ErrorDataDecoderException(); ++ } + List datas = bodyMapHttpData.get(data.getName()); + if (datas == null) { + datas = new ArrayList(1); diff --git a/netty3.spec b/netty3.spec index 70fc8a6a254b9eded18db7653e63a713374cc7f6..eb931f55eb82e83a9b187e747cd6d855a897cb5f 100644 --- a/netty3.spec +++ b/netty3.spec @@ -5,7 +5,7 @@ Name: netty3 Version: 3.10.6 -Release: 8 +Release: 9 Summary: An asynchronous event-driven network application framework and tools for Java License: ASL 2.0 and BSD and CC0 URL: http://netty.io/ @@ -17,6 +17,8 @@ Patch2: CVE-2019-16869.patch Patch3: CVE-2019-20444.patch Patch4: CVE-2019-20445-1.patch Patch5: CVE-2019-20445-2.patch +# Origin: https://build.opensuse.org/projects/openSUSE:Factory/packages/netty3/files/netty3-CVE-2024-29025.patch +Patch6: CVE-2024-29025.patch BuildRequires: maven-local BuildRequires: mvn(org.sonatype.oss:oss-parent:pom:) @@ -119,6 +121,9 @@ rm -v %{netty_handler_dir}/ssl/JettyNpnSslEngine.java %changelog +* Tue Nov 12 2024 yaoxin - 3.10.6-9 +- Fix CVE-2024-29025 + * Wed Aug 28 2024 wangkai <13474090681@163.com> - 3.10.6-8 - Fix CVE-2019-16869,CVE-2019-20444,CVE-2019-20445