diff --git a/SOURCES/squid-3.5.20-CVE-2021-46784.patch b/SOURCES/squid-3.5.20-CVE-2021-46784.patch
new file mode 100644
index 0000000..2389414
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2021-46784.patch
@@ -0,0 +1,129 @@
+From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <MegaManSec@users.noreply.github.com>
+Date: Mon, 18 Apr 2022 13:42:36 +0000
+Subject: [PATCH] Improve handling of Gopher responses (#1022)
+
+---
+ src/gopher.cc | 45 ++++++++++++++++++++-------------------------
+ 1 file changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/src/gopher.cc b/src/gopher.cc
+index 6d4ab1e..07acdba 100644
+--- a/src/gopher.cc
++++ b/src/gopher.cc
+@@ -365,7 +365,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ char *lpos = NULL;
+ char *tline = NULL;
+ LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
+- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
+ char *name = NULL;
+ char *selector = NULL;
+ char *host = NULL;
+@@ -375,7 +374,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ char gtype;
+ StoreEntry *entry = NULL;
+
+- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+ memset(line, '\0', TEMP_BUF_SIZE);
+
+ entry = gopherState->entry;
+@@ -410,7 +408,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ return;
+ }
+
+- String outbuf;
++ SBuf outbuf;
+
+ if (!gopherState->HTML_header_added) {
+ if (gopherState->conversion == gopher_ds::HTML_CSO_RESULT)
+@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ break;
+ }
+
+- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+-
+ if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
+ if (strlen(escaped_selector) != 0)
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
+- icon_url, escaped_selector, rfc1738_escape_part(host),
+- *port ? ":" : "", port, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
++ icon_url, escaped_selector, rfc1738_escape_part(host),
++ *port ? ":" : "", port, html_quote(name));
+ else
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
+- icon_url, rfc1738_escape_part(host), *port ? ":" : "",
+- port, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
++ icon_url, rfc1738_escape_part(host), *port ? ":" : "",
++ port, html_quote(name));
+
+ } else if (gtype == GOPHER_INFO) {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
++ outbuf.appendf("\t%s\n", html_quote(name));
+ } else {
+ if (strncmp(selector, "GET /", 5) == 0) {
+ /* WWW link */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
+- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
++ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++ } else if (gtype == GOPHER_WWW) {
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++ icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
+ } else {
+ /* Standard link */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+- icon_url, host, gtype, escaped_selector, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++ icon_url, host, gtype, escaped_selector, html_quote(name));
+ }
+ }
+
+ safe_free(escaped_selector);
+- outbuf.append(tmpbuf);
+ } else {
+ memset(line, '\0', TEMP_BUF_SIZE);
+ continue;
+@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ break;
+
+ if (gopherState->cso_recno != recno) {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
++ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
+ gopherState->cso_recno = recno;
+ } else {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++ outbuf.appendf("%s\n", html_quote(result));
+ }
+
+- outbuf.append(tmpbuf);
+ break;
+ } else {
+ int code;
+@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+
+ case 502: { /* Too Many Matches */
+ /* Print the message the server returns */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+- outbuf.append(tmpbuf);
++ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+ break;
+ }
+
+@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+
+ } /* while loop */
+
+- if (outbuf.size() > 0) {
+- entry->append(outbuf.rawBuf(), outbuf.size());
++ if (outbuf.length() > 0) {
++ entry->append(outbuf.rawContent(), outbuf.length());
+ /* now let start sending stuff to client */
+ entry->flush();
+ }
+
+- outbuf.clean();
+ return;
+ }
+
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 2396ec9..8cfc397 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
Name: squid
Version: 3.5.20
-Release: 17%{?dist}.6
+Release: 17%{?dist}.7
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -88,6 +88,8 @@ Patch510: squid-3.5.20-CVE-2020-15810.patch
Patch511: squid-3.5.20-CVE-2020-15811.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1939925
Patch512: squid-3.5.20-CVE-2020-25097.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
+Patch513: squid-3.5.20-CVE-2021-46784.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@@ -188,6 +190,7 @@ migration and script which prepares squid for downgrade operation.
%patch510 -p1 -b .CVE-2020-15810
%patch511 -p1 -b .CVE-2020-15811
%patch512 -p1 -b .CVE-2020-25097
+%patch513 -p1 -b .CVE-2021-46784
# https://bugzilla.redhat.com/show_bug.cgi?id=1471140
# Patch in the vendor documentation and used different location for documentation
@@ -417,6 +420,10 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog
+* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.7
+- Resolves: #2100778 - CVE-2021-46784 squid: DoS when processing gopher server
+ responses
+
* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.6
- Resolves: #1944256 - CVE-2020-25097 squid: improper input validation may allow
a trusted client to perform HTTP Request Smuggling