1 files changed, 34 insertions, 0 deletions

diff --git a/net-proxy/squid/files/squid-2.7.6-cve-2009-2855.patch b/net-proxy/squid/files/squid-2.7.6-cve-2009-2855.patch
new file mode 100644
index 000000000000..8863ffe093fc
--- /dev/null
+++ b/net-proxy/squid/files/squid-2.7.6-cve-2009-2855.patch
@@ -0,0 +1,34 @@
+diff -Nru squid-2.7.STABLE6.orig/src/HttpHeaderTools.c squid-2.7.STABLE6/src/HttpHeaderTools.c
+--- squid-2.7.STABLE6.orig/src/HttpHeaderTools.c	2008-04-02 03:00:11.000000000 +0200
++++ squid-2.7.STABLE6/src/HttpHeaderTools.c	2009-08-22 11:25:43.000000000 +0200
+@@ -239,6 +239,10 @@
+ strListGetItem(const String * str, char del, const char **item, int *ilen, const char **pos)
+ {
+     size_t len;
++    /* ',' is always enabled as field delimiter as this is required for
++     * processing merged header values properly, even if Cookie normally
++     * uses ';' as delimiter.
++     */
+     static char delim[3][8] =
+     {
+ 	"\"?,",
+@@ -261,16 +265,15 @@
+     /* find next delimiter */
+     do {
+ 	*pos += strcspn(*pos, delim[quoted]);
+-	if (**pos == del)
+-	    break;
+ 	if (**pos == '"') {
+ 	    quoted = !quoted;
+ 	    *pos += 1;
+-	}
+-	if (quoted && **pos == '\\') {
++	} else if (quoted && **pos == '\\') {
+ 	    *pos += 1;
+ 	    if (**pos)
+ 		*pos += 1;
++	} else {
++	    break;		/* Delimiter found, marking the end of this value */
+ 	}
+     } while (**pos);
+     len = *pos - *item;		/* *pos points to del or '\0' */