From a68b6c6153f841f40429877fb714fe15745d56fc Mon Sep 17 00:00:00 2001
From: xinghe <xinghe2@h-partners.com>
Date: Thu, 25 Jan 2024 08:32:59 +0000
Subject: [PATCH] fix CVE-2024-23638

(cherry picked from commit 1f611bd2e6d2756b6ff56dd35d811f4e0da7d87d)
---
 backport-CVE-2024-23638.patch | 36 +++++++++++++++++++++++++++++++++++
 squid.spec                    |  9 ++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-23638.patch

diff --git a/backport-CVE-2024-23638.patch b/backport-CVE-2024-23638.patch
new file mode 100644
index 0000000..1291b51
--- /dev/null
+++ b/backport-CVE-2024-23638.patch
@@ -0,0 +1,36 @@
+From 5bede3305cabb9ac19babecf3ebaf64f43f7b53e Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Sun, 12 Nov 2023 09:33:20 +0000
+Subject: [PATCH] Do not update StoreEntry expiration after errorAppendEntry()
+ (#1580)
+
+errorAppendEntry() is responsible for setting entry expiration times,
+which it does by calling StoreEntry::storeErrorResponse() that calls
+StoreEntry::negativeCache().
+
+This change was triggered by a vulnerability report by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
+it was filed as "Use-After-Free in Cache Manager Errors". The reported
+"use after free" vulnerability was unknowingly addressed by 2022 commit
+1fa761a that removed excessively long "reentrant" store_client calls
+responsible for the disappearance of the properly locked StoreEntry in
+this (and probably other) contexts.
+
+Conflict: context adapt
+Reference: https://github.com/squid-cache/squid/commit/5bede3305cabb9ac19babecf3ebaf64f43f7b53e
+---
+ src/cache_manager.cc | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/cache_manager.cc b/src/cache_manager.cc
+index b5a9cbecd33..08445a517a9 100644
+--- a/src/cache_manager.cc
++++ b/src/cache_manager.cc
+@@ -306,7 +306,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
+         const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
+         err->url = xstrdup(entry->url());
+         errorAppendEntry(entry, err);
+-        entry->expires = squid_curtime;
+         return;
+     }
+ 
diff --git a/squid.spec b/squid.spec
index ecf99e3..a02011d 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.9
-Release:  22
+Release:  23
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@@ -54,6 +54,7 @@ Patch33:backport-CVE-2023-46728.patch
 Patch34:backport-CVE-2023-49285.patch
 Patch35:backport-CVE-2023-49286.patch
 Patch36:backport-CVE-2023-50269.patch
+Patch37:backport-CVE-2024-23638.patch
 
 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -248,6 +249,12 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Thu Jan 25 2024 xinghe <xinghe2@h-partners.com> - 7:4.9-23
+- Type:cves
+- ID:CVE-2024-23638
+- SUG:NA
+- DESC:fix CVE-2024-23638
+
 * Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:4.9-22
 - Type:cves
 - ID:CVE-2023-50269