- CVE-2024-33427.patch: fixes possible buffer overread leading to

denial of service (bsc#1225417, CVE-2024-33427)

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=297

CVE-2024-33427.patch

@@ -0,0 +1,13 @@
+Index: squid-6.9/src/ConfigParser.cc
+===================================================================
+--- squid-6.9.orig/src/ConfigParser.cc
++++ squid-6.9/src/ConfigParser.cc
+@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
+     *d = '\0';
+ 
+     // We are expecting a separator after quoted string, space or one of "()#"
+-    if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
++    if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
+         errorStr = "Expecting space after the end of quoted token";
+         errorPos = token;
+     }

squid.changes

@@ -12,6 +12,8 @@ Tue May 28 08:39:49 UTC 2024 - Adam Majer <adam.majer@suse.de>
 
 - header_fixups.patch: upstreamed, removed
 - 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: upstreamed, removed
+- CVE-2024-33427.patch: fixes possible buffer overread leading to
+  denial of service (bsc#1225417, CVE-2024-33427)
 
 -------------------------------------------------------------------
 Wed Mar  6 12:02:14 UTC 2024 - Adam Majer <adam.majer@suse.de>

squid.spec

@@ -51,6 +51,7 @@ Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
+Patch4:         CVE-2024-33427.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -107,6 +108,7 @@ accelerator.
 %setup -q
 cp %{SOURCE10} .
 %patch -P 3 -p1
+%patch -P 4 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`