new file mode 100644
@@ -0,0 +1,133 @@
+From 0cfe0d3efe438658ac3b1eeac44bdc07836a1649 Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <MegaManSec@users.noreply.github.com>
+Date: Mon, 18 Apr 2022 13:42:36 +0000
+Subject: [PATCH] Improve handling of Gopher responses (#1022)
+
+CVE: CVE-2021-46784
+Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/gopher.cc | 45 ++++++++++++++++++++-------------------------
+ 1 file changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/src/gopher.cc b/src/gopher.cc
+index 169b0e1..6187da1 100644
+--- a/src/gopher.cc
++++ b/src/gopher.cc
+@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ char *lpos = NULL;
+ char *tline = NULL;
+ LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
+- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
+ char *name = NULL;
+ char *selector = NULL;
+ char *host = NULL;
+@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ char gtype;
+ StoreEntry *entry = NULL;
+
+- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+ memset(line, '\0', TEMP_BUF_SIZE);
+
+ entry = gopherState->entry;
+@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ return;
+ }
+
+- String outbuf;
++ SBuf outbuf;
+
+ if (!gopherState->HTML_header_added) {
+ if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
+@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ break;
+ }
+
+- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+-
+ if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
+ if (strlen(escaped_selector) != 0)
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
+- icon_url, escaped_selector, rfc1738_escape_part(host),
+- *port ? ":" : "", port, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
++ icon_url, escaped_selector, rfc1738_escape_part(host),
++ *port ? ":" : "", port, html_quote(name));
+ else
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
+- icon_url, rfc1738_escape_part(host), *port ? ":" : "",
+- port, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
++ icon_url, rfc1738_escape_part(host), *port ? ":" : "",
++ port, html_quote(name));
+
+ } else if (gtype == GOPHER_INFO) {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
++ outbuf.appendf("\t%s\n", html_quote(name));
+ } else {
+ if (strncmp(selector, "GET /", 5) == 0) {
+ /* WWW link */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
+- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
++ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++ } else if (gtype == GOPHER_WWW) {
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++ icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
+ } else {
+ /* Standard link */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+- icon_url, host, gtype, escaped_selector, html_quote(name));
++ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++ icon_url, host, gtype, escaped_selector, html_quote(name));
+ }
+ }
+
+ safe_free(escaped_selector);
+- outbuf.append(tmpbuf);
+ } else {
+ memset(line, '\0', TEMP_BUF_SIZE);
+ continue;
+@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ break;
+
+ if (gopherState->cso_recno != recno) {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
++ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
+ gopherState->cso_recno = recno;
+ } else {
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++ outbuf.appendf("%s\n", html_quote(result));
+ }
+
+- outbuf.append(tmpbuf);
+ break;
+ } else {
+ int code;
+@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+
+ case 502: { /* Too Many Matches */
+ /* Print the message the server returns */
+- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+- outbuf.append(tmpbuf);
++ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+ break;
+ }
+
+@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+
+ } /* while loop */
+
+- if (outbuf.size() > 0) {
+- entry->append(outbuf.rawBuf(), outbuf.size());
++ if (outbuf.length() > 0) {
++ entry->append(outbuf.rawContent(), outbuf.length());
+ /* now let start sending stuff to client */
+ entry->flush();
+ }
+
+- outbuf.clean();
+ return;
+ }
+
@@ -33,6 +33,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
file://CVE-2023-49286.patch \
file://CVE-2023-50269.patch \
file://CVE-2023-5824.patch \
+ file://CVE-2021-46784.patch \
"
SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-46784 Pick the backported patch from v4 branch, that referenced the same PR[1] that the patch[2] from the nvd report refers to. [1]: https://github.com/squid-cache/squid/pull/1022 [2]: https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../squid/files/CVE-2021-46784.patch | 133 ++++++++++++++++++ .../recipes-daemons/squid/squid_4.15.bb | 1 + 2 files changed, 134 insertions(+) create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2021-46784.patch