> On 7/15/19 3:11 PM, James Zuelow wrote: > > > how could I go about confirming the presence of bug 4936 in the > > current Debian stable version of Squid? > > If you want to be sure, get the source code version of the Debian Squid > package (with all the Debian patches applied) and check whether > src/auth/negotiate/wrapper/negotiate_wrapper.cc still contains the buggy > code. See the Squid bug report description[1] for the pattern to look for (or > post a link to the source file here so that others can check). > > [1] https://bugs.squid-cache.org/show_bug.cgi?id=4936#c0 > > Alex. Thank you! I believe the Debian source code is here: http://deb.debian.org/debian/pool/main/s/squid/squid_4.6.orig.tar.gz With the patches included in this file here: http://deb.debian.org/debian/pool/main/s/squid/squid_4.6-1.debian.tar.xz None of the patches appear to modify negotiate_wrapper.cc. When I glance through negotiate_wrapper.cc I find something slightly different from either form of the bug report. The Debian code has a buf+3 construct. Debian: (line 182) length = BASE64_DECODE_LENGTH(strlen(buf+3)); and (line 196) if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) || !base64_decode_final(&ctx)) { if (debug_enabled) fprintf(stderr, "%s| %s: Invalid base64 token [%s]\n", LogTime(), PROGRAM, buf+3); fprintf(stdout, "BH Invalid negotiate request token\n"); continue; } (I only have a very basic knowledge of C++, so I could be looking at the wrong things completely.) Thanks, James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
