diff --git a/CVE-2025-55163.patch b/CVE-2025-55163.patch new file mode 100644 index 0000000000000000000000000000000000000000..82d454e4ae91be42376260763b51c53e93a0b16b --- /dev/null +++ b/CVE-2025-55163.patch @@ -0,0 +1,138 @@ +commit be53dc3c9acd9af2e20d0c3c07cd77115a594cf1 +Author: Norman Maurer +Date: Mon Jul 28 08:25:35 2025 -1000 + + HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncode… (#15518) + + …r (#15516) + + Motivation: + + We sometimes directly used the Http2FrameWriter which is not correct as + someone might have supplied a custom Http2ConnectionEncoder + + Modifications: + + Use Http2ConnectionEncoder when writing RST frames + + Result: + + Don't by-pass Http2ConnectionEncoder + +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java +index 4e661e865d..61e9cd1213 100644 +--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java +@@ -717,7 +717,7 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http + try { + stream = encoder.connection().remote().createStream(streamId, true); + } catch (Http2Exception e) { +- resetUnknownStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + return; + } + } +@@ -734,10 +734,10 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http + + if (stream == null) { + if (!outbound || connection().local().mayHaveCreatedStream(streamId)) { +- resetUnknownStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + } + } else { +- resetStream(ctx, stream, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + } + } + +diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java +index 9d5a1c463c..4c48e2780d 100644 +--- a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java ++++ b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java +@@ -421,7 +421,7 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); +@@ -431,7 +431,7 @@ public class Http2ConnectionHandlerTest { + captor.capture(), eq(padding), eq(true), eq(promise)); + Http2Headers headers = captor.getValue(); + assertEquals(HttpResponseStatus.REQUEST_HEADER_FIELDS_TOO_LARGE.codeAsText(), headers.status()); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -445,14 +445,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -466,14 +466,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(false); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -502,14 +502,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(true); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); + +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -526,7 +526,7 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + handler.exceptionCaught(ctx, e); + +@@ -534,7 +534,7 @@ public class Http2ConnectionHandlerTest { + verify(encoder).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); + +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test diff --git a/netty.spec b/netty.spec index 29167d5e609e075d77a292f1f2168eb5538a4c0a..120d17bef89be3375642c65769cb268376d4e9f1 100644 --- a/netty.spec +++ b/netty.spec @@ -2,7 +2,7 @@ Name: netty Version: 4.1.13 -Release: 22 +Release: 23 Summary: Asynchronous event-driven network application Java framework License: ASL 2.0 URL: https://netty.io/ @@ -33,6 +33,7 @@ Patch0021: fix-strip.patch # https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 Patch0022: CVE-2022-41881.patch Patch0023: CVE-2024-29025.patch +Patch0024: CVE-2025-55163.patch BuildRequires: maven-local mvn(ant-contrib:ant-contrib) BuildRequires: mvn(com.jcraft:jzlib) mvn(commons-logging:commons-logging) @@ -157,6 +158,9 @@ export CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %changelog +* Fri Aug 15 2025 Yu Peng - 4.1.13-23 +- Fix CVE-2025-55163. + * Tue Nov 12 2024 yaoxin - 4.1.13-22 - Fix CVE-2024-29025