Closed
Description
Advisory: GHSA-hh82-3pmq-7frp
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-41915
The fix: fe18adf
I suspect this to be a regression introduced in #12760.
Steps to reproduce
Test patch: netty-cve-2022-41915-test.patch
Confirming 4.1.83 is affected:
❯ git restore .
❯ git checkout tags/netty-4.1.83.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS
# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply -C1 -
❯ git status -s
M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[ERROR] Failures:
[ERROR] DefaultHttpHeadersTest.setIterableValidatesValue:253 Expected java.lang.IllegalArgumentException to be thrown, but nothing was thrown.
[INFO]
[ERROR] Tests run: 24, Failures: 1, Errors: 0, Skipped: 0Confirming 4.1.82 is not affected:
❯ git checkout tags/netty-4.1.82.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS
# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply -
❯ git status -s
M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESSAlso confirmed 4.1.79 is not affected.
EDIT: uploaded correct patch
Metadata
Metadata
Assignees
Labels
No labels