diff mbox series

[meta-networking,kirkstone,3/6] squid: patch CVE-2022-41318

Message ID 20251021183204.269102-3-skandigraun@gmail.com
State New
Headers show
Series [meta-networking,kirkstone,1/6] squid: patch CVE-2021-46784 | expand

Commit Message

Gyorgy Sarvari Oct. 21, 2025, 6:32 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-41318

Pick the v4 patch referenced in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../squid/files/CVE-2022-41318.patch          | 45 +++++++++++++++++++
 .../recipes-daemons/squid/squid_4.15.bb       |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2022-41318.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2022-41318.patch b/meta-networking/recipes-daemons/squid/files/CVE-2022-41318.patch
new file mode 100644
index 0000000000..c1cf699d05
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2022-41318.patch
@@ -0,0 +1,45 @@ 
+From 36a55f44abe5ee0387d83663397e7fe111e21fa4 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Tue, 9 Aug 2022 23:34:54 +0000
+Subject: [PATCH] Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+
+The initial bug fix overlooked large 'offset' causing integer
+wrap to extract a too-short length string.
+
+Improve debugs and checks sequence to clarify cases and ensure
+that all are handled correctly.
+
+CVE: CVE-2022-41318
+Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/4031c6c2b004190fdffbc19dab7cd0305a2025b7]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib/ntlmauth/ntlmauth.cc | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 5d96372..f00fd51 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb
index 4cb21187fc..9ac420d579 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.15.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb
@@ -35,6 +35,7 @@  SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
            file://CVE-2023-5824.patch \
            file://CVE-2021-46784.patch \
            file://CVE-2022-41317.patch \
+           file://CVE-2022-41318.patch \
            "
 
 SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"