Skip to content

CVE CVE-2022-41915: Incorrect range. Releases < 4.1.83.Final not affected #13084

Closed
@sergiitk

Description

@sergiitk

Advisory: GHSA-hh82-3pmq-7frp
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-41915
The fix: fe18adf

I suspect this to be a regression introduced in #12760.

Steps to reproduce

Test patch: netty-cve-2022-41915-test.patch

Confirming 4.1.83 is affected:

❯ git restore .
❯ git checkout tags/netty-4.1.83.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply -C1 -
❯ git status -s
 M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[ERROR] Failures:
[ERROR]   DefaultHttpHeadersTest.setIterableValidatesValue:253 Expected java.lang.IllegalArgumentException to be thrown, but nothing was thrown.
[INFO]
[ERROR] Tests run: 24, Failures: 1, Errors: 0, Skipped: 0

Confirming 4.1.82 is not affected:

❯ git checkout tags/netty-4.1.82.Final
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
...
[INFO] Tests run: 22, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

# Applying the patch:
❯ curl -sL https://github.com/netty/netty/files/10311197/netty-cve-2022-41915-test.patch | git apply - 
❯ git status -s
 M codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java
❯ mvn -Dtest=DefaultHttpHeaders* test -f codec-http/pom.xml
# ...
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS

Also confirmed 4.1.79 is not affected.

EDIT: uploaded correct patch

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions