packages/squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!77 [sync] PR-72: fix CVE-2022-41318

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng
This commit is contained in:
openeuler-ci-bot 2022-09-27 09:34:58 +00:00 committed by Gitee
commit 1ff3a992e7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
backport-CVE-2022-41318.patch Normal file
View File

@ -0,0 +1,40 @@
From 4031c6c2b004190fdffbc19dab7cd0305a2025b7 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Tue, 9 Aug 2022 23:34:54 +0000
Subject: [PATCH] Bug 3193 pt2: NTLM decoder truncating strings (#1114)
The initial bug fix overlooked large 'offset' causing integer
wrap to extract a too-short length string.
Improve debugs and checks sequence to clarify cases and ensure
that all are handled correctly.
---
lib/ntlmauth/ntlmauth.cc | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
index 5d96372906d..f00fd51f83f 100644
--- a/lib/ntlmauth/ntlmauth.cc
+++ b/lib/ntlmauth/ntlmauth.cc
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
int32_t o = le32toh(str->offset);
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
return rv;
}
+ else if (o <= 0 || o > packet_size) {
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+ else if (l > packet_size - o) {
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+
rv.str = (char *)packet + o;
rv.l = 0;
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {

9
squid.spec
View File

@ -2,7 +2,7 @@
Name: squid
Version: 4.9
Release: 15
Release: 16
Summary: The Squid proxy caching server
Epoch: 7
License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -45,6 +45,7 @@ Patch24:squid-add-TrivialDB-support-223.patch
Patch25:backport-CVE-2021-28116.patch
Patch26:backport-CVE-2021-46784.patch
Patch27:backport-CVE-2022-41317.patch
Patch28:backport-CVE-2022-41318.patch
Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@ -239,6 +240,12 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog
* Tue Sep 27 2022 gaihuiying <eaglegai@163.com> - 7:4.9-16
- Type:cves
- ID:CVE-2022-41318
- SUG:NA
- DESC:fix CVE-2022-41318
* Sat Sep 24 2022 gaihuiying <eaglegai@163.com> - 7:4.9-15
- Type:cves
- ID:CVE-2022-41317