From bfb611d525b4cfe1a5e13e5ca78f472c25cfc204 Mon Sep 17 00:00:00 2001
From: Bo Liu <liubo03@inspur.com>
Date: Thu, 9 Nov 2023 13:55:51 +0800
Subject: [PATCH] Fix CVE-2023-46847

Signed-off-by: Bo Liu <liubo03@inspur.com>
---
 squid-4.15-CVE-2023-46847.patch | 47 +++++++++++++++++++++++++++++++++
 squid.spec                      |  4 +++
 2 files changed, 51 insertions(+)
 create mode 100644 squid-4.15-CVE-2023-46847.patch

diff --git a/squid-4.15-CVE-2023-46847.patch b/squid-4.15-CVE-2023-46847.patch
new file mode 100644
index 0000000..0d2e061
--- /dev/null
+++ b/squid-4.15-CVE-2023-46847.patch
@@ -0,0 +1,47 @@
+From 2208acd78dbca40f382bd929cdedf1c3a3c40982 Mon Sep 17 00:00:00 2001
+From: squidadm <squidadm@users.noreply.github.com>
+Date: Wed, 18 Oct 2023 04:50:56 +1300
+Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
+ (#1517)
+
+The bug was discovered and detailed by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
+where it was filed as "Stack Buffer Overflow in Digest Authentication".
+
+---------
+
+Co-authored-by: Alex Bason <nonsleepr@gmail.com>
+Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
+
+Conflict:NA
+Reference:http://www.squid-cache.org/Versions/v5/SQUID-2023_3.patch
+---
+ src/auth/digest/Config.cc | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
+index 6a9736f..0a883fa 100644
+--- a/src/auth/digest/Config.cc
++++ b/src/auth/digest/Config.cc
+@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+             break;
+ 
+         case DIGEST_NC:
+-            if (value.size() != 8) {
++            if (value.size() == 8) {
++                // for historical reasons, the nc value MUST be exactly 8 bytes
++                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
++                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
++                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
++            } else {
+                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
++                digest_request->nc[0] = 0;
+             }
+-            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+-            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+             break;
+ 
+         case DIGEST_CNONCE:
+-- 
+2.31.1
+
diff --git a/squid.spec b/squid.spec
index a9c02e4..826e140 100644
--- a/squid.spec
+++ b/squid.spec
@@ -50,6 +50,8 @@ Patch302: squid-4.15-CVE-2022-41318.patch
 Patch303: squid-4.15-0001-CVE-2023-46846.patch
 Patch304: squid-4.15-0002-CVE-2023-46846.patch
 Patch305: squid-4.15-0003-CVE-2023-46846.patch
+# Fix CVE-2023-46847
+Patch306: squid-4.15-CVE-2023-46847.patch
 
 
 Requires: bash >= 2.0
@@ -120,6 +122,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch303 -p1 -b .CVE-2023-46846
 %patch304 -p1 -b .CVE-2023-46846
 %patch305 -p1 -b .CVE-2023-46846
+%patch306 -p1 -b .CVE-2023-46847
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -338,6 +341,7 @@ fi
 %changelog
 * Wed Nov  8 2023 Bo Liu <liubo03@inspur.com> - 4.15-7
 - Fix CVE-2023-46846 
+- Fix CVE-2023-46847
 
 * Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
 - Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
-- 
Gitee