import squid-4.11-4.module+el8.4.0+10676+a969168e.2

2021-05-18 13:10:39 -04:00 · 2021-05-18 13:10:39 -04:00 · dacda54465
commit dacda54465
parent 32f4bda808
2 changed files with 68 additions and 1 deletions
--- a/SOURCES/squid-4.11-CVE-2020-25097.patch
+++ b/SOURCES/squid-4.11-CVE-2020-25097.patch
@ -0,0 +1,60 @@
 From dfd818595b54942cb1adc45f6aed95c9b706e3a8 Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <yadij@users.noreply.github.com>
 Date: Fri, 4 Sep 2020 17:38:30 +1200
 Subject: [PATCH] Merge pull request from GHSA-jvf6-h9gj-pmj6
 * Add slash prefix to path-rootless or path-noscheme URLs
 * Update src/anyp/Uri.cc
 Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
 * restore file trailer GH auto-removes
 * Remove redundant path-empty check
 * Removed stale comment left behind by b2ab59a
 Many things imply a leading `/` in a URI. Their enumeration is likely to
 (and did) become stale, misleading the reader.
 * fixup: Remind that the `src` iterator may be at its end
 We are dereferencing `src` without comparing it to `\0`.
 To many readers that (incorrectly) implies that we are not done iterating yet.
 Also fixed branch-added comment indentation.
 Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
 ---
 src/anyp/Uri.cc | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)
 diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
 index b745c54..31f02d5 100644
 --- a/src/anyp/Uri.cc
 +++ b/src/anyp/Uri.cc
@@ -293,8 +293,9 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
                 return false;
             *dst = '\0';
 -            // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/'
 -            if (*src == '?' || *src == '#' || *src == '\0') {
 +            // We are looking at path-abempty.
 +            if (*src != '/') {
 +                // path-empty, including the end of the `src` c-string cases
                 urlpath[0] = '/';
                 dst = &urlpath[1];
             } else {
@@ -308,11 +309,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
             /* We -could- be at the end of the buffer here */
             if (i > l)
                 return false;
 -            /* If the URL path is empty we set it to be "/" */
 -            if (dst == urlpath) {
 -                *dst = '/';
 -                ++dst;
 -            }
             *dst = '\0';
             foundPort = scheme.defaultPort(); // may be reset later
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  4.11
-Release:  4%{?dist}
+Release:  4%{?dist}.2
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -50,6 +50,8 @@ Patch502: squid-4.11-CVE-2020-24606.patch
 Patch503: squid-4.11-CVE-2020-15811.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1871700
 Patch504: squid-4.11-CVE-2020-15810.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1944260
 Patch505: squid-4.11-CVE-2020-25097.patch
 Requires: bash >= 2.0
@ -119,6 +121,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch502 -p1 -b .cve-2020-24606
 %patch503 -p1 -b .CVE-2020-15811
 %patch504 -p1 -b .CVE-2020-15810
 %patch505 -p1 -b .CVE-2020-25097
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@ -335,6 +338,10 @@ fi
 %changelog
 * Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-4.2
 - Resolves: #1944260 - CVE-2020-25097 squid:4/squid: improper input validation
  may allow a trusted client to perform HTTP Request Smuggling
 * Mon Oct 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-4
 - Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in
  cachemgr.cgi