From 2e2d8c99a177fb309a4d4fefc792b32032532c6f Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 9 Mar 2021 16:38:21 +0800 Subject: [PATCH] fix CVE-2021-21290 (cherry picked from commit 523081e42c8d707529a9573f0f2f9d317f734801) --- CVE-2021-21290.patch | 292 +++++++++++++++++++++++++++++++++++++++++++ netty.spec | 9 +- 2 files changed, 299 insertions(+), 2 deletions(-) create mode 100644 CVE-2021-21290.patch diff --git a/CVE-2021-21290.patch b/CVE-2021-21290.patch new file mode 100644 index 0000000..52f1a67 --- /dev/null +++ b/CVE-2021-21290.patch @@ -0,0 +1,292 @@ +From f1f550f682ea781cda3d86e5114b7b7cab4513c8 Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Tue, 9 Mar 2021 14:57:32 +0800 +Subject: [PATCH] Use Files.createTempFile(...) to ensure the file is created + with proper permissions + +Motivation: + +File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir'. The permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file. +This can be a security concern if any sensitive data is stored in this file. + +This was reported by Jonathan Leitschuh as a security problem. + +Modifications: + +Use Files.createTempFile(...) which will use safe-defaults when running on java 7 and later. If running on java 6 there isnt much we can do, which is fair enough as java 6 shouldnt be considered "safe" anyway. + +Result: + +Create temporary files with sane permissions by default. + +--- + .../io/netty/buffer/AbstractByteBufTest.java | 4 ++-- + .../http/multipart/AbstractDiskHttpData.java | 5 +++-- + .../codec/http/HttpChunkedInputTest.java | 3 ++- + .../util/internal/NativeLibraryLoader.java | 3 ++- + .../util/internal/PlatformDependent.java | 20 +++++++++++++++++++ + .../ssl/util/SelfSignedCertificate.java | 5 +++-- + .../stream/ChunkedWriteHandlerTest.java | 3 ++- + .../socket/SocketFileRegionTest.java | 2 +- + .../epoll/EpollSocketTestPermutation.java | 1 + + .../netty/channel/epoll/EpollSpliceTest.java | 3 ++- + .../channel/unix/tests/UnixTestUtils.java | 3 ++- + 11 files changed, 40 insertions(+), 12 deletions(-) + +diff --git a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java +index ef9d729..0d4d3e6 100644 +--- a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java ++++ b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java +@@ -3962,7 +3962,7 @@ public abstract class AbstractByteBufTest { + + @Test + public void testReadBytesAndWriteBytesWithFileChannel() throws IOException { +- File file = File.createTempFile("file-channel", ".tmp"); ++ File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); + RandomAccessFile randomAccessFile = null; + try { + randomAccessFile = new RandomAccessFile(file, "rw"); +@@ -4005,7 +4005,7 @@ public abstract class AbstractByteBufTest { + + @Test + public void testGetBytesAndSetBytesWithFileChannel() throws IOException { +- File file = File.createTempFile("file-channel", ".tmp"); ++ File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); + RandomAccessFile randomAccessFile = null; + try { + randomAccessFile = new RandomAccessFile(file, "rw"); +diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java +index a21e72f..9251673 100644 +--- a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java ++++ b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java +@@ -18,6 +18,7 @@ package io.netty.handler.codec.http.multipart; + import io.netty.buffer.ByteBuf; + import io.netty.handler.codec.http.HttpConstants; + import io.netty.util.internal.EmptyArrays; ++import io.netty.util.internal.PlatformDependent; + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; + +@@ -87,9 +88,9 @@ public abstract class AbstractDiskHttpData extends AbstractHttpData { + File tmpFile; + if (getBaseDirectory() == null) { + // create a temporary file +- tmpFile = File.createTempFile(getPrefix(), newpostfix); ++ tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, null); + } else { +- tmpFile = File.createTempFile(getPrefix(), newpostfix, new File( ++ tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, new File( + getBaseDirectory())); + } + if (deleteOnExit()) { +diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java +index 002c8d0..8e75eb9 100644 +--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java ++++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java +@@ -25,6 +25,7 @@ import io.netty.handler.stream.ChunkedNioFile; + import io.netty.handler.stream.ChunkedNioStream; + import io.netty.handler.stream.ChunkedStream; + import io.netty.handler.stream.ChunkedWriteHandler; ++import io.netty.util.internal.PlatformDependent; + import org.junit.Test; + + import java.io.ByteArrayInputStream; +@@ -46,7 +47,7 @@ public class HttpChunkedInputTest { + + FileOutputStream out = null; + try { +- TMP = File.createTempFile("netty-chunk-", ".tmp"); ++ TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); + TMP.deleteOnExit(); + out = new FileOutputStream(TMP); + out.write(BYTES); +diff --git a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java +index 1b0a71d..cb4d4f2 100644 +--- a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java ++++ b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java +@@ -15,6 +15,7 @@ + */ + package io.netty.util.internal; + ++import io.netty.util.internal.PlatformDependent; + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; + +@@ -212,7 +213,7 @@ public final class NativeLibraryLoader { + OutputStream out = null; + File tmpFile = null; + try { +- tmpFile = File.createTempFile(prefix, suffix, WORKDIR); ++ tmpFile = PlatformDependent.createTempFile(prefix, suffix, WORKDIR); + in = url.openStream(); + out = new FileOutputStream(tmpFile); + +diff --git a/common/src/main/java/io/netty/util/internal/PlatformDependent.java b/common/src/main/java/io/netty/util/internal/PlatformDependent.java +index 2fd3c98..6cc4532 100644 +--- a/common/src/main/java/io/netty/util/internal/PlatformDependent.java ++++ b/common/src/main/java/io/netty/util/internal/PlatformDependent.java +@@ -17,6 +17,7 @@ package io.netty.util.internal; + + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; ++import io.netty.util.internal.PlatformDependent; + import org.jctools.queues.MpscArrayQueue; + import org.jctools.queues.MpscChunkedArrayQueue; + import org.jctools.queues.SpscLinkedQueue; +@@ -27,9 +28,11 @@ import org.jctools.util.Pow2; + import org.jctools.util.UnsafeAccess; + + import java.io.File; ++import java.io.IOException; + import java.lang.reflect.Method; + import java.nio.ByteBuffer; + import java.nio.ByteOrder; ++import java.nio.file.Files; + import java.security.AccessController; + import java.security.PrivilegedAction; + import java.util.Deque; +@@ -1166,6 +1169,23 @@ public final class PlatformDependent { + return true; + } + ++ public static File createTempFile(String prefix, String suffix, File directory) throws IOException { ++ if (javaVersion() >= 7) { ++ if (directory == null) { ++ return Files.createTempFile(prefix, suffix).toFile(); ++ } ++ return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); ++ } ++ if (directory == null) { ++ return File.createTempFile(prefix, suffix); ++ } ++ File file = File.createTempFile(prefix, suffix, directory); ++ // Try to adjust the perms, if this fails there is not much else we can do... ++ file.setReadable(false, false); ++ file.setReadable(true, true); ++ return file; ++ } ++ + /** + * Package private for testing purposes only! + */ +diff --git a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java +index 112e1a8..4fa3d53 100644 +--- a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java ++++ b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java +@@ -20,6 +20,7 @@ import io.netty.buffer.ByteBuf; + import io.netty.buffer.Unpooled; + import io.netty.handler.codec.base64.Base64; + import io.netty.util.CharsetUtil; ++import io.netty.util.internal.PlatformDependent; + import io.netty.util.internal.SystemPropertyUtil; + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; +@@ -236,7 +237,7 @@ public final class SelfSignedCertificate { + wrappedBuf.release(); + } + +- File keyFile = File.createTempFile("keyutil_" + fqdn + '_', ".key"); ++ File keyFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".key", null); + keyFile.deleteOnExit(); + + OutputStream keyOut = new FileOutputStream(keyFile); +@@ -267,7 +268,7 @@ public final class SelfSignedCertificate { + wrappedBuf.release(); + } + +- File certFile = File.createTempFile("keyutil_" + fqdn + '_', ".crt"); ++ File certFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".crt", null); + certFile.deleteOnExit(); + + OutputStream certOut = new FileOutputStream(certFile); +diff --git a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java +index 66b6951..f556a5f 100644 +--- a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java ++++ b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java +@@ -23,6 +23,7 @@ import io.netty.channel.ChannelFutureListener; + import io.netty.channel.ChannelHandlerContext; + import io.netty.channel.embedded.EmbeddedChannel; + import io.netty.util.CharsetUtil; ++import io.netty.util.internal.PlatformDependent; + import org.junit.Test; + + import java.io.ByteArrayInputStream; +@@ -47,7 +48,7 @@ public class ChunkedWriteHandlerTest { + + FileOutputStream out = null; + try { +- TMP = File.createTempFile("netty-chunk-", ".tmp"); ++ TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); + TMP.deleteOnExit(); + out = new FileOutputStream(TMP); + out.write(BYTES); +diff --git a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java +index f08a714..608beed 100644 +--- a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java ++++ b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java +@@ -100,7 +100,7 @@ public class SocketFileRegionTest extends AbstractSocketTest { + cb.option(ChannelOption.AUTO_READ, autoRead); + + final int bufferSize = 1024; +- final File file = File.createTempFile("netty-", ".tmp"); ++ final File file = PlatformDependent.createTempFile("netty-", ".tmp", null); + file.deleteOnExit(); + + final FileOutputStream out = new FileOutputStream(file); +diff --git a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java +index 2da13e1..f8d42cb 100644 +--- a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java ++++ b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java +@@ -32,6 +32,7 @@ import io.netty.testsuite.transport.socket.SocketTestPermutation; + import io.netty.util.concurrent.DefaultThreadFactory; + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; ++import io.netty.util.internal.PlatformDependent; + + import java.io.BufferedReader; + import java.io.File; +diff --git a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java +index 98dcec9..6b975e6 100644 +--- a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java ++++ b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java +@@ -27,6 +27,7 @@ import io.netty.channel.ChannelInboundHandlerAdapter; + import io.netty.channel.EventLoopGroup; + import io.netty.channel.SimpleChannelInboundHandler; + import io.netty.channel.unix.FileDescriptor; ++import io.netty.util.internal.PlatformDependent; + import org.junit.Assert; + import org.junit.Test; + +@@ -192,7 +193,7 @@ public class EpollSpliceTest { + @Test + public void spliceToFile() throws Throwable { + EventLoopGroup group = new EpollEventLoopGroup(1); +- File file = File.createTempFile("netty-splice", null); ++ File file = PlatformDependent.createTempFile("netty-splice", null, null); + file.deleteOnExit(); + + SpliceHandler sh = new SpliceHandler(file); +diff --git a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java +index e4ebcb4..2fa4187 100644 +--- a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java ++++ b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java +@@ -17,6 +17,7 @@ package io.netty.channel.unix.tests; + + import io.netty.channel.unix.DomainSocketAddress; + import io.netty.channel.unix.Socket; ++import io.netty.util.internal.PlatformDependent; + + import java.io.File; + import java.io.IOException; +@@ -26,7 +27,7 @@ public final class UnixTestUtils { + try { + File file; + do { +- file = File.createTempFile("NETTY", "UDS"); ++ file = PlatformDependent.createTempFile("NETTY", "UDS", null); + if (!file.delete()) { + throw new IOException("failed to delete: " + file); + } +-- +2.23.0 + diff --git a/netty.spec b/netty.spec index bef205d..68fc7b1 100644 --- a/netty.spec +++ b/netty.spec @@ -2,7 +2,7 @@ Name: netty Version: 4.1.13 -Release: 9 +Release: 10 Summary: Asynchronous event-driven network application Java framework License: ASL 2.0 URL: https://netty.io/ @@ -17,6 +17,8 @@ Patch0005: CVE-2019-20445-1.patch Patch0006: CVE-2019-20445-2.patch Patch0007: CVE-2019-20445-3.patch Patch0008: CVE-2020-11612.patch +Patch0009: CVE-2021-21290.patch + BuildRequires: maven-local mvn(ant-contrib:ant-contrib) BuildRequires: mvn(com.jcraft:jzlib) mvn(commons-logging:commons-logging) BuildRequires: mvn(kr.motd.maven:os-maven-plugin) mvn(log4j:log4j:1.2.17) @@ -133,7 +135,10 @@ export CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %changelog - Sun 20 Sep 2020 wangyue - 4.1.13-9 +* Tue Mar 09 2021 wangyue - 4.1.13-10 +- fix CVE-2021-21290 + +* Fri Dec 04 2020 caodongxia - 4.1.13-9 - fix CVE-2019-16869 CVE-2019-20444 CVE-2019-20445 CVE-2020-11612 * Wed Aug 26 2020 yaokai - 4.1.13-8 -- Gitee