File SQUID-2023_4.patch of Package squid.31747

From 12b8efc07ff74548d5582c4890f8bdb9057a1bb3 Mon Sep 17 00:00:00 2001
From: Andreas Weigel <andreas.weigel@securepoint.de>
Date: Wed, 18 Oct 2023 04:14:31 +0000
Subject: [PATCH] Fix validation of certificates with CN=* (#1523)

The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/
where it was filed as "Buffer UnderRead in SSL CN Parsing".
---
 src/anyp/Uri.cc | 6 ++++++
 1 file changed, 6 insertions(+)

Index: squid-3.5.21/src/url.cc
===================================================================
--- squid-3.5.21.orig/src/url.cc
+++ squid-3.5.21/src/url.cc
@@ -89,6 +89,10 @@ urlInitialize(void)
     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
 
+    assert(0 != matchDomainName("foo.com", ""));
+    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
+    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
+
     /* more cases? */
 }
 
@@ -855,6 +859,8 @@ matchDomainName(const char *h, const cha
         return -1;
 
     dl = strlen(d);
+    if (dl == 0)
+        return 1;
 
     /*
      * Start at the ends of the two strings and work towards the