main/squid: patch CVE-2022-41318

2026-05-07 13:26:40 +02:00 · 2023-12-05 16:38:39 +00:00 · 2023-12-05 16:38:39 +00:00 · 6dcefbc63b
commit 6dcefbc63b
parent bd4a8986f3
2 changed files with 44 additions and 1 deletions
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=5.5
-pkgrel=0
+pkgrel=1
 pkgdesc="full-featured Web proxy cache server"
 url="http://www.squid-cache.org/"
 install="squid.pre-install squid.pre-upgrade"
@ -22,11 +22,14 @@ source="http://www.squid-cache.org/Versions/v${pkgver%%.*}/squid-$pkgver.tar.xz
 	$pkgname.initd
 	$pkgname.confd
 	$pkgname.logrotate
+	CVE-2022-41318.patch
 	"
 pkgusers="squid"
 pkggroups="squid"

 # secfixes:
+#   5.2-r1:
+#     - CVE-2022-41318
 #   5.2-r0:
 #     - CVE-2021-41611
 #     - CVE-2021-28116
@ -133,4 +136,5 @@ f506f8cc01d59e36432d08eebd68332ef002c931425d6f95bbae7ed35281bbca453db85aba3d7659
 8320820c02c824ed96065e0b66cabdd80b11c23e911880a42f5bd7e3f6e7a5c1c6def910a1843cca810c62a7dc8ccdb9ae82c0cf52bf08259c3b50058232132d  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate
+057216d04a15aefdbcfdd5fd4e00d260baaceca132c7cf53635274b28920c3318cafa91f113b2efe7b941416969ec020d15ee8c100e40a7d9435e5d5cbe9fea8  CVE-2022-41318.patch
 "
--- a/main/squid/CVE-2022-41318.patch
+++ b/main/squid/CVE-2022-41318.patch
@ -0,0 +1,39 @@
+Patch-source: http://www.squid-cache.org/Versions/v5/SQUID-2022_2.patch
+commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2022-08-09 23:34:54 +0000
+
+    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+    
+    The initial bug fix overlooked large 'offset' causing integer
+    wrap to extract a too-short length string.
+    
+    Improve debugs and checks sequence to clarify cases and ensure
+    that all are handled correctly.
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index b3df6b18e..dac8a7ecb 100644
+--- a/lib/ntlmauth/ntlmauth.cc
+++ b/lib/ntlmauth/ntlmauth.cc
+@@ -108,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
+        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
+    else if (o <= 0 || o > packet_size) {
+        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+        return rv;
+    }
+    else if (l > packet_size - o) {
+        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+        return rv;
+    }
+
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {