From 15d476e3f561d6d4f79062aa845c1b4a48ec46ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Mon, 7 Nov 2022 17:57:07 +0100
Subject: [PATCH] Resolves: #2130253 - CVE-2022-41318 squid: buffer-over-read
 in SSPI and SMB

  authentication
---
 squid-5.5-CVE-2022-41318.patch | 38 ++++++++++++++++++++++++++++++++++
 squid.spec                     |  9 +++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 squid-5.5-CVE-2022-41318.patch

diff --git a/squid-5.5-CVE-2022-41318.patch b/squid-5.5-CVE-2022-41318.patch
new file mode 100644
index 0000000..cb303ad
--- /dev/null
+++ b/squid-5.5-CVE-2022-41318.patch
@@ -0,0 +1,38 @@
+commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2022-08-09 23:34:54 +0000
+
+    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+    
+    The initial bug fix overlooked large 'offset' causing integer
+    wrap to extract a too-short length string.
+    
+    Improve debugs and checks sequence to clarify cases and ensure
+    that all are handled correctly.
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 5d9637290..f00fd51f8 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/squid.spec b/squid.spec
index 6a230c0..6c7297b 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  5.5
-Release:  2%{?dist}
+Release:  3%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -45,6 +45,8 @@ Patch208: squid-5.1-test-store-cppsuite.patch
 # Security patches
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
 Patch501: squid-5.5-CVE-2021-46784.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
+Patch502: squid-5.5-CVE-2022-41318.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -120,6 +122,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch208 -p1 -b .test-store-cpp
 
 %patch501 -p1 -b .CVE-2021-46784
+%patch502 -p1 -b .CVE-2022-41318
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -351,6 +354,10 @@ fi
 
 
 %changelog
+* Mon Nov 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-3
+- Resolves: #2130253 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB
+  authentication
+
 * Mon Jul 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-2
 - Resolves: #2100785 - CVE-2021-46784 squid: DoS when processing gopher server
   responses