From 5fbe9fa189b0756ffeee92ab988e602415f5370e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 23 Oct 2025 14:45:32 +0200
Subject: [PATCH] Fix possible dangling reference

Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via
authentication credential leakage in error handling (CVE-2025-62168)
---
 squid-4.15-CVE-2025-62168.patch | 10 +++++-----
 squid.spec                      |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/squid-4.15-CVE-2025-62168.patch b/squid-4.15-CVE-2025-62168.patch
index f31a89d..4b78eb4 100644
--- a/squid-4.15-CVE-2025-62168.patch
+++ b/squid-4.15-CVE-2025-62168.patch
@@ -86,13 +86,13 @@ index fea5ecb..c7dc756 100644
      triggerInitialStoreRead();
      http->storeEntry()->releaseRequest();
      http->storeEntry()->buffer();
-+    MemBuf content;
-+    content.init();
-+    http->request->pack(&content, true /* hide authorization data */);
++    MemBuf *content = new MemBuf;
++    content->init();
++    http->request->pack(content, true /* hide authorization data */);
      HttpReply *rep = new HttpReply;
 -    rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime);
-+    rep->setHeaders(Http::scOkay, NULL, "message/http", content.contentSize(), 0, squid_curtime);
-+    rep->body.setMb(&content);
++    rep->setHeaders(Http::scOkay, NULL, "message/http", content->contentSize(), 0, squid_curtime);
++    rep->body.setMb(content);
      http->storeEntry()->replaceHttpReply(rep);
 -    http->request->swapOut(http->storeEntry());
      http->storeEntry()->complete();
diff --git a/squid.spec b/squid.spec
index c2d24a0..7e4f1f0 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.8
+Release:  10%{?dist}.9
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -378,7 +378,7 @@ fi
 
 
 %changelog
-* Mon Oct 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.8
+* Mon Oct 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.9
 - Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via
   authentication credential leakage in error handling (CVE-2025-62168)