From 73c142439156a3ca3fbc09121863097383001741 Mon Sep 17 00:00:00 2001 From: hdliu Date: Tue, 19 Aug 2025 14:37:39 +0800 Subject: [PATCH] Fix CVE-2022-24823 Signed-off-by: hdliu (cherry picked from commit 2ea6915443615298e7c56d21710d2346440f9dff) --- CVE-2022-24823.patch | 62 ++++++++++++++++++++++++++++++++++++++++++++ netty.spec | 6 ++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-24823.patch diff --git a/CVE-2022-24823.patch b/CVE-2022-24823.patch new file mode 100644 index 0000000..762f5d8 --- /dev/null +++ b/CVE-2022-24823.patch @@ -0,0 +1,62 @@ +From 185f8b2756a36aaa4f973f1a2a025e7d981823f1 Mon Sep 17 00:00:00 2001 +From: Norman Maurer +Date: Fri, 6 May 2022 08:57:43 +0200 +Subject: [PATCH] Merge pull request from GHSA-269q-hmxg-m83q + +* Correctly modify permission for temporary files when using Java 6 in all cases + +Motivation: + +[GHSA-5mcr-gq6c-3hq2](GHSA-5mcr-gq6c-3hq2) did not correctly fix all cases for temprory files when running on java 6. + +Modifications: + +- Add correctly adjust perms in all cases +- Add logging if adjusting of permissions fails + +Result: + +Fixes GHSA-269q-hmxg-m83q + +The patch comes from:https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1 + +Signed-off-by: hdliu +--- + .../util/internal/PlatformDependent.java | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/common/src/main/java/io/netty/util/internal/PlatformDependent.java b/common/src/main/java/io/netty/util/internal/PlatformDependent.java +index 6cc4532..a37d7e2 100644 +--- a/common/src/main/java/io/netty/util/internal/PlatformDependent.java ++++ b/common/src/main/java/io/netty/util/internal/PlatformDependent.java +@@ -1176,14 +1176,21 @@ public final class PlatformDependent { + } + return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); + } ++ final File file; + if (directory == null) { +- return File.createTempFile(prefix, suffix); ++ file = File.createTempFile(prefix, suffix); ++ } else { ++ file = File.createTempFile(prefix, suffix, directory); ++ } ++ ++ // Try to adjust the perms, if this fails there is not much else we can do... ++ if (!file.setReadable(false, false)) { ++ throw new IOException("Failed to set permissions on temporary file " + file); ++ } ++ if (!file.setReadable(true, true)) { ++ throw new IOException("Failed to set permissions on temporary file " + file); + } +- File file = File.createTempFile(prefix, suffix, directory); +- // Try to adjust the perms, if this fails there is not much else we can do... +- file.setReadable(false, false); +- file.setReadable(true, true); +- return file; ++ return file; + } + + /** +-- +2.33.0 + diff --git a/netty.spec b/netty.spec index 29167d5..c6f6b96 100644 --- a/netty.spec +++ b/netty.spec @@ -2,7 +2,7 @@ Name: netty Version: 4.1.13 -Release: 22 +Release: 23 Summary: Asynchronous event-driven network application Java framework License: ASL 2.0 URL: https://netty.io/ @@ -33,6 +33,7 @@ Patch0021: fix-strip.patch # https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 Patch0022: CVE-2022-41881.patch Patch0023: CVE-2024-29025.patch +Patch0024: CVE-2022-24823.patch BuildRequires: maven-local mvn(ant-contrib:ant-contrib) BuildRequires: mvn(com.jcraft:jzlib) mvn(commons-logging:commons-logging) @@ -157,6 +158,9 @@ export CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %changelog +* Fri Aug 22 2025 hdliu - 4.1.13-23 +- Fix CVE-2022-24823 + * Tue Nov 12 2024 yaoxin - 4.1.13-22 - Fix CVE-2024-29025 -- Gitee