From a950f6cdffb1d12fab8c25798f901b9c8844893f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 05 2022 12:10:16 +0000
Subject: import squid-3.5.20-17.el7_9.8


---

diff --git a/SOURCES/squid-3.5.20-CVE-2022-41318.patch b/SOURCES/squid-3.5.20-CVE-2022-41318.patch
new file mode 100644
index 0000000..e298364
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2022-41318.patch
@@ -0,0 +1,26 @@
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 2703187..753dac6 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -106,10 +106,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 8cfc397..ba6345c 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
 
 Name:     squid
 Version:  3.5.20
-Release:  17%{?dist}.7
+Release:  17%{?dist}.8
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -90,6 +90,8 @@ Patch511: squid-3.5.20-CVE-2020-15811.patch
 Patch512: squid-3.5.20-CVE-2020-25097.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
 Patch513: squid-3.5.20-CVE-2021-46784.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
+Patch514: squid-3.5.20-CVE-2022-41318.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -191,6 +193,7 @@ migration and script which prepares squid for downgrade operation.
 %patch511 -p1 -b .CVE-2020-15811
 %patch512 -p1 -b .CVE-2020-25097
 %patch513 -p1 -b .CVE-2021-46784
+%patch514 -p1 -b .CVE-2022-41318
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140
 # Patch in the vendor documentation and used different location for documentation
@@ -420,6 +423,10 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.8
+- Resolves: #2130254 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB
+  authentication
+
 * Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.7
 - Resolves: #2100778 - CVE-2021-46784 squid: DoS when processing gopher server
   responses