From 30480a569c20a4de0f37dd9a7b03471708b28440 Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Wed, 10 Jul 2019 12:46:09 +0200
Subject: [PATCH 1/2] Resolves: #1727745 - squid: CVe-2019-13345 squid: XSS via
 user_name or auth   parameter in cachemgr.cgi

---
 squid-4.4-CVE-2019-13345.patch | 64 ++++++++++++++++++++++++++++++++++
 squid.spec                     |  8 ++++-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 squid-4.4-CVE-2019-13345.patch

diff --git a/squid-4.4-CVE-2019-13345.patch b/squid-4.4-CVE-2019-13345.patch
new file mode 100644
index 0000000..9a5754e
--- /dev/null
+++ b/squid-4.4-CVE-2019-13345.patch
@@ -0,0 +1,64 @@
+diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
+index 0c745c2..8a67eba 100644
+--- a/tools/cachemgr.cc
++++ b/tools/cachemgr.cc
+@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
+ 
+     printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
+ 
+-    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
++    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
+ 
+     printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
+ 
+@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
+              script_name,
+              req->hostname,
+              req->port,
+-             safe_str(req->user_name),
++             rfc1738_escape(safe_str(req->user_name)),
+              action,
+              safe_str(req->pub_auth));
+     return url;
+@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
+     const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
+                                 req->hostname,
+                                 (int) now,
+-                                req->user_name ? req->user_name : "",
+-                                req->passwd);
++                                rfc1738_escape(safe_str(req->user_name)),
++                                rfc1738_escape(req->passwd));
+     debug("cmgr: pre-encoded for pub: %s\n", buf);
+ 
+     const int encodedLen = base64_encode_len(bufLen);
+@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
+     char *buf;
+     const char *host_name;
+     const char *time_str;
+-    const char *user_name;
+-    const char *passwd;
+ 
+     debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
+     safe_free(req->passwd);
+@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
+ 
+     debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
+ 
++    char *user_name;
+     if ((user_name = strtok(NULL, "|")) == NULL) {
+         xfree(buf);
+         return;
+     }
++    rfc1738_unescape(user_name);
+ 
+     debug("cmgr: decoded uname: '%s'\n", user_name);
+ 
++    char *passwd;
+     if ((passwd = strtok(NULL, "|")) == NULL) {
+         xfree(buf);
+         return;
+     }
++    rfc1738_unescape(passwd);
+ 
+     debug("cmgr: decoded passwd: '%s'\n", passwd);
+ 
diff --git a/squid.spec b/squid.spec
index a621de9..c8286b6 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.4
-Release:  1%{?dist}
+Release:  2%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -32,6 +32,7 @@ Patch202: squid-3.1.0.9-location.patch
 Patch203: squid-3.0.STABLE1-perlpath.patch
 Patch204: squid-3.5.9-include-guards.patch
 Patch205: squid-4.0.21-large-acl.patch
+Patch206: squid-4.4-CVE-2019-13345.patch
 
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@@ -87,6 +88,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch203 -p1 -b .perlpath
 %patch204 -p0 -b .include-guards
 %patch205 -p1 -b .large_acl
+%patch206 -p1 -b .cve13345
 
 %build
 # cppunit-config patch changes configure.ac
@@ -289,6 +291,10 @@ fi
 
 
 %changelog
+* Wed Jul 10 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-2
+- Resolves: #1727745 - squid: CVe-2019-13345 squid: XSS via user_name or auth 
+  parameter in cachemgr.cgi 
+
 * Mon Dec 10 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-1
 - new version 4.4
 

From 797591396560ecf719bb1d317dc4a8aea511feb4 Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Mon, 5 Aug 2019 14:00:27 +0200
Subject: [PATCH 2/2] Resolves: #1737030 - depend on httpd-filesystem

---
 squid.spec | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/squid.spec b/squid.spec
index b18e3c0..148a276 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.8
-Release:  1%{?dist}
+Release:  2%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -34,6 +34,8 @@ Patch204: squid-3.5.9-include-guards.patch
 Patch205: squid-4.0.21-large-acl.patch
 
 Requires: bash >= 2.0
+# for httpd conf file - cachemgr script alias
+Requires: httpd-filesystem
 Requires(pre): shadow-utils
 Requires(post): systemd
 Requires(preun): systemd
@@ -284,6 +286,9 @@ fi
 
 
 %changelog
+* Mon Aug 05 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-2
+- Resolves: #1737030 - depend on httpd-filesystem
+
 * Wed Jul 10 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-1
 - new version 4.8
 - Resolves: #1727745 - squid: CVe-2019-13345 squid: XSS via user_name or auth