On 7/15/19 7:54 PM, James Zuelow wrote: >> On 7/15/19 3:11 PM, James Zuelow wrote: >> >>> how could I go about confirming the presence of bug 4936 in the >>> current Debian stable version of Squid? >> >> If you want to be sure, get the source code version of the Debian Squid >> package (with all the Debian patches applied) and check whether >> src/auth/negotiate/wrapper/negotiate_wrapper.cc still contains the buggy >> code. See the Squid bug report description[1] for the pattern to look for (or >> post a link to the source file here so that others can check). >> >> [1] https://bugs.squid-cache.org/show_bug.cgi?id=4936#c0 > I believe the Debian source code is here: http://deb.debian.org/debian/pool/main/s/squid/squid_4.6.orig.tar.gz AFAICT, that source code has Bug 4936. > When I glance through negotiate_wrapper.cc I find something slightly > different from either form of the bug report. The Debian code has a > buf+3 construct. Yes, I removed +3 (i.e. skipping "BH " characters) from the sketch in the bug report to minimize noise. > Debian: > length = BASE64_DECODE_LENGTH(strlen(buf+3)); ... if (!(token = static_cast<uint8_t *>(xmalloc(length)))) { ... > if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) || ... token[dstLen] = '\0'; Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users