import squid-4.15-3.module+el8.6.0+16749+7b6feaf0.2

This commit is contained in:
CentOS Sources 2022-10-04 10:30:29 -04:00 committed by Stepan Oksanichenko
parent e37193a02a
commit 74a0866cba
2 changed files with 46 additions and 1 deletions

View File

@ -0,0 +1,38 @@
commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2022-08-09 23:34:54 +0000
Bug 3193 pt2: NTLM decoder truncating strings (#1114)
The initial bug fix overlooked large 'offset' causing integer
wrap to extract a too-short length string.
Improve debugs and checks sequence to clarify cases and ensure
that all are handled correctly.
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
index 5d9637290..f00fd51f8 100644
--- a/lib/ntlmauth/ntlmauth.cc
+++ b/lib/ntlmauth/ntlmauth.cc
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
int32_t o = le32toh(str->offset);
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
return rv;
}
+ else if (o <= 0 || o > packet_size) {
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+ else if (l > packet_size - o) {
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+
rv.str = (char *)packet + o;
rv.l = 0;
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {

View File

@ -2,7 +2,7 @@
Name: squid
Version: 4.15
Release: 3%{?dist}.1
Release: 3%{?dist}.2
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@ -42,6 +42,8 @@ Patch209: squid-4.15-ftp-filename-extraction.patch
Patch300: squid-4.15-CVE-2021-28116.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
Patch301: squid-4.15-CVE-2021-46784.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
Patch302: squid-4.15-CVE-2022-41318.patch
Requires: bash >= 2.0
Requires(pre): shadow-utils
@ -106,6 +108,7 @@ lookup program (dnsserver), a program for retrieving FTP data
# Security patches
%patch300 -p1 -b .CVE-2021-28116
%patch301 -p1 -b .CVE-2021-46784
%patch302 -p1 -b .CVE-2022-41318
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation
@ -322,6 +325,10 @@ fi
%changelog
* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.2
- Resolves: #2130258 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
authentication
* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.1
- Resolves: #2100782 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
server responses