diff --git a/SOURCES/squid-3.5.20-CVE-2021-46784.patch b/SOURCES/squid-3.5.20-CVE-2021-46784.patch new file mode 100644 index 0000000..2389414 --- /dev/null +++ b/SOURCES/squid-3.5.20-CVE-2021-46784.patch @@ -0,0 +1,129 @@ +From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Mon, 18 Apr 2022 13:42:36 +0000 +Subject: [PATCH] Improve handling of Gopher responses (#1022) + +--- + src/gopher.cc | 45 ++++++++++++++++++++------------------------- + 1 file changed, 20 insertions(+), 25 deletions(-) + +diff --git a/src/gopher.cc b/src/gopher.cc +index 6d4ab1e..07acdba 100644 +--- a/src/gopher.cc ++++ b/src/gopher.cc +@@ -365,7 +365,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + char *lpos = NULL; + char *tline = NULL; + LOCAL_ARRAY(char, line, TEMP_BUF_SIZE); +- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE); + char *name = NULL; + char *selector = NULL; + char *host = NULL; +@@ -375,7 +374,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + char gtype; + StoreEntry *entry = NULL; + +- memset(tmpbuf, '\0', TEMP_BUF_SIZE); + memset(line, '\0', TEMP_BUF_SIZE); + + entry = gopherState->entry; +@@ -410,7 +408,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + return; + } + +- String outbuf; ++ SBuf outbuf; + + if (!gopherState->HTML_header_added) { + if (gopherState->conversion == gopher_ds::HTML_CSO_RESULT) +@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + break; + } + +- memset(tmpbuf, '\0', TEMP_BUF_SIZE); +- + if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) { + if (strlen(escaped_selector) != 0) +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, escaped_selector, rfc1738_escape_part(host), +- *port ? ":" : "", port, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, escaped_selector, rfc1738_escape_part(host), ++ *port ? ":" : "", port, html_quote(name)); + else +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, rfc1738_escape_part(host), *port ? ":" : "", +- port, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, rfc1738_escape_part(host), *port ? ":" : "", ++ port, html_quote(name)); + + } else if (gtype == GOPHER_INFO) { +- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name)); ++ outbuf.appendf("\t%s\n", html_quote(name)); + } else { + if (strncmp(selector, "GET /", 5) == 0) { + /* WWW link */ +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); ++ } else if (gtype == GOPHER_WWW) { ++ outbuf.appendf(" %s\n", ++ icon_url, rfc1738_escape_unescaped(selector), html_quote(name)); + } else { + /* Standard link */ +- snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", +- icon_url, host, gtype, escaped_selector, html_quote(name)); ++ outbuf.appendf(" %s\n", ++ icon_url, host, gtype, escaped_selector, html_quote(name)); + } + } + + safe_free(escaped_selector); +- outbuf.append(tmpbuf); + } else { + memset(line, '\0', TEMP_BUF_SIZE); + continue; +@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) + break; + + if (gopherState->cso_recno != recno) { +- snprintf(tmpbuf, TEMP_BUF_SIZE, "

Record# %d
%s

\n
", recno, html_quote(result));
++                    outbuf.appendf("

Record# %d
%s

\n
", recno, html_quote(result));
+                     gopherState->cso_recno = recno;
+                 } else {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++                    outbuf.appendf("%s\n", html_quote(result));
+                 }
+ 
+-                outbuf.append(tmpbuf);
+                 break;
+             } else {
+                 int code;
+@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+                 case 502: { /* Too Many Matches */
+                     /* Print the message the server returns */
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "

%s

\n
", html_quote(result));
+-                    outbuf.append(tmpbuf);
++                    outbuf.appendf("

%s

\n
", html_quote(result));
+                     break;
+                 }
+ 
+@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+     }               /* while loop */
+ 
+-    if (outbuf.size() > 0) {
+-        entry->append(outbuf.rawBuf(), outbuf.size());
++    if (outbuf.length() > 0) {
++        entry->append(outbuf.rawContent(), outbuf.length());
+         /* now let start sending stuff to client */
+         entry->flush();
+     }
+ 
+-    outbuf.clean();
+     return;
+ }
+ 
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 2396ec9..8cfc397 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
 
 Name:     squid
 Version:  3.5.20
-Release:  17%{?dist}.6
+Release:  17%{?dist}.7
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -88,6 +88,8 @@ Patch510: squid-3.5.20-CVE-2020-15810.patch
 Patch511: squid-3.5.20-CVE-2020-15811.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1939925
 Patch512: squid-3.5.20-CVE-2020-25097.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
+Patch513: squid-3.5.20-CVE-2021-46784.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -188,6 +190,7 @@ migration and script which prepares squid for downgrade operation.
 %patch510 -p1 -b .CVE-2020-15810
 %patch511 -p1 -b .CVE-2020-15811
 %patch512 -p1 -b .CVE-2020-25097
+%patch513 -p1 -b .CVE-2021-46784
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140
 # Patch in the vendor documentation and used different location for documentation
@@ -417,6 +420,10 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Tue Jun 28 2022 Luboš Uhliarik  - 7:3.5.20-17.7
+- Resolves: #2100778 - CVE-2021-46784 squid: DoS when processing gopher server
+  responses
+
 * Wed Mar 31 2021 Lubos Uhliarik  - 7:3.5.20-17.6
 - Resolves: #1944256 - CVE-2020-25097 squid: improper input validation may allow
   a trusted client to perform HTTP Request Smuggling