From b89207fe1a9461b0572531c5ef202bc89f26b2d5 Mon Sep 17 00:00:00 2001
From: Eric Anderson <ejona@google.com>
Date: Fri, 9 Jun 2023 08:05:15 -0700
Subject: [PATCH] Upgrade netty-tcnative to 2.0.61.Final

This updates the version of boringssl and removes the dependency on APR.
netty-tcnative 2.0.56.Final uses APR 1.7.0, so is in scope for
CVE-2021-35940, CVE-2022-28331, and CVE-2022-24963. netty-tcnative is
not actually vulnerable. The binary does not include apr_socket_sendv(),
apr_encode_*(), apr_pencode_*(), apr_decode_*(), apr_pdecode_*(). The
binary does include apr_time_exp_*() but it is unused code.
Unfortunately --gc-sections wasn't used during compilation.
apr_time_now() is used, but that just calls gettimeofday() and is not
vulnerable.

There's no panic here, but this updates netty-tcnative just a few weeks
before we would have ordinarily done so. Bumping the version makes life
easier for everyone.
---
 SECURITY.md                       | 3 ++-
 examples/example-tls/pom.xml      | 1 -
 examples/example-xds/build.gradle | 1 -
 gradle/libs.versions.toml         | 8 +++-----
 repositories.bzl                  | 4 ++--
 5 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ab617488f74..5ced7c8b9a5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -394,7 +394,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
 1.44.x-1.47.x      | 4.1.72.Final          | 2.0.46.Final
 1.48.x-1.49.x      | 4.1.77.Final          | 2.0.53.Final
 1.50.x-1.53.x      | 4.1.79.Final          | 2.0.54.Final
-1.54.x-            | 4.1.87.Final          | 2.0.56.Final
+1.54.x-1.55.x      | 4.1.87.Final          | 2.0.56.Final
+1.56.x-            | 4.1.87.Final          | 2.0.61.Final
 
 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
 
diff --git a/examples/example-tls/pom.xml b/examples/example-tls/pom.xml
index 5bf1894a95e..62a532f9579 100644
--- a/examples/example-tls/pom.xml
+++ b/examples/example-tls/pom.xml
@@ -14,7 +14,6 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <grpc.version>1.56.0-SNAPSHOT</grpc.version><!-- CURRENT_GRPC_VERSION -->
     <protoc.version>3.22.3</protoc.version>
-    <netty.tcnative.version>2.0.56.Final</netty.tcnative.version>
     <!-- required for jdk9 -->
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
diff --git a/examples/example-xds/build.gradle b/examples/example-xds/build.gradle
index 4c6a8639fb0..dd0406cd927 100644
--- a/examples/example-xds/build.gradle
+++ b/examples/example-xds/build.gradle
@@ -23,7 +23,6 @@ targetCompatibility = 1.8
 // Feel free to delete the comment at the next line. It is just for safely
 // updating the version in our release process.
 def grpcVersion = '1.56.0-SNAPSHOT' // CURRENT_GRPC_VERSION
-def nettyTcNativeVersion = '2.0.56.Final'
 def protocVersion = '3.22.3'
 
 dependencies {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index cc725c4986a..57aefc4d971 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -4,7 +4,9 @@
 googleauth = "1.4.0"
 guava = "31.1-android"
 netty = '4.1.87.Final'
-nettytcnative = '2.0.56.Final'
+# Keep the following references of tcnative version in sync whenever it's updated:
+#   SECURITY.md
+nettytcnative = '2.0.61.Final'
 opencensus = "0.31.1"
 protobuf = "3.22.3"
 
@@ -46,10 +48,6 @@ mockito-android = "org.mockito:mockito-android:3.12.4"
 mockito-core = "org.mockito:mockito-core:3.12.4"
 netty-codec-http2 = { module = "io.netty:netty-codec-http2", version.ref = "netty" }
 netty-handler-proxy = { module = "io.netty:netty-handler-proxy", version.ref = "netty" }
-# Keep the following references of tcnative version in sync whenever it's updated:
-#   SECURITY.md (multiple occurrences)
-#   examples/example-tls/build.gradle
-#   examples/example-tls/pom.xml
 netty-tcnative = { module = "io.netty:netty-tcnative-boringssl-static", version.ref = "nettytcnative" }
 netty-tcnative-classes = { module = "io.netty:netty-tcnative-classes", version.ref = "nettytcnative" }
 netty-transport-epoll = { module = "io.netty:netty-transport-native-epoll", version.ref = "netty" }
diff --git a/repositories.bzl b/repositories.bzl
index eb393c95a97..856914929f2 100644
--- a/repositories.bzl
+++ b/repositories.bzl
@@ -34,8 +34,8 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "io.netty:netty-handler-proxy:4.1.87.Final",
     "io.netty:netty-handler:4.1.87.Final",
     "io.netty:netty-resolver:4.1.87.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.56.Final",
-    "io.netty:netty-tcnative-classes:2.0.56.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.61.Final",
+    "io.netty:netty-tcnative-classes:2.0.61.Final",
     "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.87.Final",
     "io.netty:netty-transport-native-unix-common:4.1.87.Final",
     "io.netty:netty-transport:4.1.87.Final",