squid/backport-CVE-2023-46847.patch

From dc0e10bec3334053c1a5297e50dd7052ea18aef0 Mon Sep 17 00:00:00 2001
From: Alex Bason <nonsleepr@gmail.com>
Date: Sun, 15 Oct 2023 13:04:47 +0000
Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
 (#1517)

The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
where it was filed as "Stack Buffer Overflow in Digest Authentication".

Reference:http://www.squid-cache.org/Versions/v6/SQUID-2023_3.patch
Conflict:NA
---
 src/auth/digest/Config.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index f00e2ba68..3c070d242 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -827,11 +827,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
             break;
 
         case DIGEST_NC:
-            if (value.size() != 8) {
+            if (value.size() == 8) {
+                // for historical reasons, the nc value MUST be exactly 8 bytes
+                static_assert(sizeof(digest_request->nc) == 8 + 1);
+                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+            } else {
                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
+                digest_request->nc[0] = 0;
             }
-            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
-            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
             break;
 
         case DIGEST_CNONCE:
-- 
2.25.1
fix CVE-2023-5824 CVE-2023-46846 CVE-2023-46847 CVE-2023-46848 2023-10-31 16:16:03 +08:00			`From dc0e10bec3334053c1a5297e50dd7052ea18aef0 Mon Sep 17 00:00:00 2001`
			`From: Alex Bason <nonsleepr@gmail.com>`
			`Date: Sun, 15 Oct 2023 13:04:47 +0000`
			`Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization`
			`(#1517)`

			`The bug was discovered and detailed by Joshua Rogers at`
			`https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html`
			`where it was filed as "Stack Buffer Overflow in Digest Authentication".`

			`Reference:http://www.squid-cache.org/Versions/v6/SQUID-2023_3.patch`
			`Conflict:NA`
			`---`
			`src/auth/digest/Config.cc \| 10 +++++++---`
			`1 file changed, 7 insertions(+), 3 deletions(-)`

			`diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc`
			`index f00e2ba68..3c070d242 100644`
			`--- a/src/auth/digest/Config.cc`
			`+++ b/src/auth/digest/Config.cc`
			`@@ -827,11 +827,15 @@ Auth::Digest::Config::decode(char const proxy_auth, const HttpRequest request,`
			`break;`

			`case DIGEST_NC:`
			`- if (value.size() != 8) {`
			`+ if (value.size() == 8) {`
			`+ // for historical reasons, the nc value MUST be exactly 8 bytes`
			`+ static_assert(sizeof(digest_request->nc) == 8 + 1);`
			`+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);`
			`+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");`
			`+ } else {`
			`debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");`
			`+ digest_request->nc[0] = 0;`
			`}`
			`- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);`
			`- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");`
			`break;`

			`case DIGEST_CNONCE:`
			`--`
			`2.25.1`