From 74a0866cba14acbce482f6306fa91029ed819b1c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 4 Oct 2022 10:30:29 -0400
Subject: [PATCH] import squid-4.15-3.module+el8.6.0+16749+7b6feaf0.2

---
 SOURCES/squid-4.15-CVE-2022-41318.patch | 38 +++++++++++++++++++++++++
 SPECS/squid.spec                        |  9 +++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/squid-4.15-CVE-2022-41318.patch

diff --git a/SOURCES/squid-4.15-CVE-2022-41318.patch b/SOURCES/squid-4.15-CVE-2022-41318.patch
new file mode 100644
index 0000000..cb303ad
--- /dev/null
+++ b/SOURCES/squid-4.15-CVE-2022-41318.patch
@@ -0,0 +1,38 @@
+commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2022-08-09 23:34:54 +0000
+
+    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+    
+    The initial bug fix overlooked large 'offset' causing integer
+    wrap to extract a too-short length string.
+    
+    Improve debugs and checks sequence to clarify cases and ensure
+    that all are handled correctly.
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 5d9637290..f00fd51f8 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index d17ddf1..ae833ec 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.15
-Release:  3%{?dist}.1
+Release:  3%{?dist}.2
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -42,6 +42,8 @@ Patch209: squid-4.15-ftp-filename-extraction.patch
 Patch300: squid-4.15-CVE-2021-28116.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
 Patch301: squid-4.15-CVE-2021-46784.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
+Patch302: squid-4.15-CVE-2022-41318.patch
 
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@@ -106,6 +108,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 # Security patches
 %patch300 -p1 -b .CVE-2021-28116
 %patch301 -p1 -b .CVE-2021-46784
+%patch302 -p1 -b .CVE-2022-41318
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -322,6 +325,10 @@ fi
 
 
 %changelog
+* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.2
+- Resolves: #2130258 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
+  authentication
+
 * Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.1
 - Resolves: #2100782 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
   server responses