Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE CVE-2022-41915: Incorrect range. Releases < 4.1.83.Final not affected #13084

Closed
sergiitk opened this issue Dec 27, 2022 · 1 comment
Closed

Comments

@sergiitk
Copy link
Contributor

sergiitk commented Dec 27, 2022

Advisory: GHSA-hh82-3pmq-7frp
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-41915
The fix: fe18adf

I suspect this to be a regression introduced in #12760.

Steps to reproduce

Test patch: netty-cve-2022-41915-test.patch

Confirming 4.1.83 is affected:

❯ git restore .
❯ git checkout tags/netty-4.1.83.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply -C1 -
❯ git status -s
 M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[ERROR] Failures:
[ERROR]   DefaultHttpHeadersTest.setIterableValidatesValue:253 Expected java.lang.IllegalArgumentException to be thrown, but nothing was thrown.
[INFO]
[ERROR] Tests run: 24, Failures: 1, Errors: 0, Skipped: 0

Confirming 4.1.82 is not affected:

❯ git checkout tags/netty-4.1.82.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply - 
❯ git status -s
 M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

Also confirmed 4.1.79 is not affected.

EDIT: uploaded correct patch

@normanmaurer
Copy link
Member

I think I fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants