From d6ed65db3d42d48b6a4082a322295a2a21f93803 Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Wed, 26 Jun 2024 09:02:48 +0800
Subject: [PATCH] fix CVE-2024-37894

(cherry picked from commit 2aba3ac85aeaa86ac8a2a3d42201abcac31e9854)
---
 backport-CVE-2024-37894.patch | 25 +++++++++++++++++++++++++
 squid.spec                    |  9 ++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-37894.patch

diff --git a/backport-CVE-2024-37894.patch b/backport-CVE-2024-37894.patch
new file mode 100644
index 0000000..92d6a73
--- /dev/null
+++ b/backport-CVE-2024-37894.patch
@@ -0,0 +1,25 @@
+From f411fe7d75197852f0e5ee85027a06d58dd8df4c Mon Sep 17 00:00:00 2001
+From: Francesco Chemolli <kinkie@squid-cache.org>
+Date: Sun, 2 Jun 2024 16:41:08 +0200
+Subject: [PATCH] Force downcast in TrieNode::add
+
+---
+ lib/libTrie/TrieNode.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
+index 0f991a0..d417e0f 100644
+--- a/lib/libTrie/TrieNode.cc
++++ b/lib/libTrie/TrieNode.cc
+@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
+     /* We trust that privatedata and existent keys have already been checked */
+ 
+     if (theLength) {
+-        int index = transform ? (*transform)(*aString): *aString;
++        const unsigned char index = transform ? (*transform)(*aString): *aString;
+ 
+         if (!internal[index])
+             internal[index] = new TrieNode;
+-- 
+2.41.0
+
diff --git a/squid.spec b/squid.spec
index d9b8615..bc11b3b 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  6.6
-Release:  2
+Release:  3
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@@ -23,6 +23,7 @@ Patch2:   squid-3.0.STABLE1-perlpath.patch
 Patch3:   backport-squid-6.1-symlink-lang-err.patch
 Patch4:   backport-squid-crash-half-closed.patch
 Patch5:   backport-CVE-2024-25111.patch
+Patch6:   backport-CVE-2024-37894.patch
 
 Requires: bash
 Requires: httpd-filesystem
@@ -245,6 +246,12 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Wed Jun 26 2024 yinyongkang <yinyongkang@kylinos.cn> - 7:6.6-3
+- Type:cves
+- ID:CVE-2024-37894
+- SUG:NA
+- DESC:fix CVE-2024-37894
+
 * Thu Mar 07 2024 xinghe <xinghe2@h-partners.com> - 7:6.6-2
 - Type:cves
 - ID:CVE-2024-25111
-- 
Gitee