From 88538325a3d9de243bfebcf48f5cd386ac777681 Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Tue, 27 Sep 2022 05:51:49 +0000
Subject: [PATCH] fix CVE-2022-41318

(cherry picked from commit 94441c561b441ed67ec14f5c19bf35f66563e5de)
---
 backport-CVE-2022-41318.patch | 40 +++++++++++++++++++++++++++++++++++
 squid.spec                    |  9 +++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-41318.patch

diff --git a/backport-CVE-2022-41318.patch b/backport-CVE-2022-41318.patch
new file mode 100644
index 0000000..facc001
--- /dev/null
+++ b/backport-CVE-2022-41318.patch
@@ -0,0 +1,40 @@
+From 4031c6c2b004190fdffbc19dab7cd0305a2025b7 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Tue, 9 Aug 2022 23:34:54 +0000
+Subject: [PATCH] Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+
+The initial bug fix overlooked large 'offset' causing integer
+wrap to extract a too-short length string.
+
+Improve debugs and checks sequence to clarify cases and ensure
+that all are handled correctly.
+---
+ lib/ntlmauth/ntlmauth.cc | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 5d96372906d..f00fd51f83f 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/squid.spec b/squid.spec
index e11ab4e..ec5cce8 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.9
-Release:  15
+Release:  16
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@@ -45,6 +45,7 @@ Patch24:squid-add-TrivialDB-support-223.patch
 Patch25:backport-CVE-2021-28116.patch
 Patch26:backport-CVE-2021-46784.patch
 Patch27:backport-CVE-2022-41317.patch
+Patch28:backport-CVE-2022-41318.patch
 
 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -239,6 +240,12 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Tue Sep 27 2022 gaihuiying <eaglegai@163.com> - 7:4.9-16
+- Type:cves
+- ID:CVE-2022-41318
+- SUG:NA
+- DESC:fix CVE-2022-41318
+
 * Sat Sep 24 2022 gaihuiying <eaglegai@163.com> - 7:4.9-15
 - Type:cves
 - ID:CVE-2022-41317
-- 
Gitee