From 4de467fd03f1f4e3a170c2670eebf42713c93c5b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 08 2023 10:10:22 +0000
Subject: import squid-3.5.20-17.el7_9.9


---

diff --git a/SOURCES/squid-3.5.20-CVE-2023-46847.patch b/SOURCES/squid-3.5.20-CVE-2023-46847.patch
new file mode 100644
index 0000000..1789442
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2023-46847.patch
@@ -0,0 +1,23 @@
+diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
+index 1008ca6..274a20c 100644
+--- a/src/auth/digest/Config.cc
++++ b/src/auth/digest/Config.cc
+@@ -839,11 +839,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+             break;
+ 
+         case DIGEST_NC:
+-            if (value.size() != 8) {
++            if (value.size() == 8) {
++                // for historical reasons, the nc value MUST be exactly 8 bytes
++                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
++                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
++                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
++            } else {
+                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
++                digest_request->nc[0] = 0;
+             }
+-            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+-            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+             break;
+ 
+         case DIGEST_CNONCE:
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index ba6345c..ef5ea47 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
 
 Name:     squid
 Version:  3.5.20
-Release:  17%{?dist}.8
+Release:  17%{?dist}.9
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -92,6 +92,8 @@ Patch512: squid-3.5.20-CVE-2020-25097.patch
 Patch513: squid-3.5.20-CVE-2021-46784.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2129771
 Patch514: squid-3.5.20-CVE-2022-41318.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2245916
+Patch515: squid-3.5.20-CVE-2023-46847.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -194,6 +196,7 @@ migration and script which prepares squid for downgrade operation.
 %patch512 -p1 -b .CVE-2020-25097
 %patch513 -p1 -b .CVE-2021-46784
 %patch514 -p1 -b .CVE-2022-41318
+%patch515 -p1 -b .CVE-2023-46847
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140
 # Patch in the vendor documentation and used different location for documentation
@@ -423,6 +426,10 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Wed Nov 01 2023 Stepan Broz <sbroz@redhat.com> - 7:3.5.20-17.9
+- Resolves: RHEL-14789 - squid: Denial of Service in HTTP Digest Authentication
+  (CVE-2023-46847)
+
 * Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.8
 - Resolves: #2130254 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB
   authentication