[Buildroot] [git commit branch/2025.08.x] package/squid: add patch for CVE-2025-59362

[Arnout Vandecappelle]

commit: https://git.buildroot.net/buildroot/commit/?id=b3d14555838e695e451aea2f5fd9d0784059fea6
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.08.x

Fixes the following vulnerability:

- CVE-2025-59362

    Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This
    occurs in asn_build_objid in lib/snmplib/asn1.c.

For more information, see:

- https://nvd.nist.gov/vuln/detail/CVE-2025-59362
- https://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit fb13611e6414e01f5a34cc065913fb1adcdf775c)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 ...0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch | 52 ++++++++++++++++++++++
 package/squid/squid.mk                             |  4 ++
 2 files changed, 56 insertions(+)

diff --git a/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch b/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
new file mode 100644
index 0000000000..695ba0255e
--- /dev/null
+++ b/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
@@ -0,0 +1,52 @@
+From 0d89165ee6da10e6fa50c44998b3cd16d59400e9 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov at measurement-factory.com>
+Date: Sat, 30 Aug 2025 06:49:36 +0000
+Subject: [PATCH] Fix ASN.1 encoding of long SNMP OIDs (#2149)
+
+Upstream: https://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0
+CVE: CVE-2025-59362
+Signed-off-by: Thomas Perale <thomas.perale at mind.be>
+---
+ lib/snmplib/asn1.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
+index 81f2051fbe7..2852c26b220 100644
+--- a/lib/snmplib/asn1.c
++++ b/lib/snmplib/asn1.c
+@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
+      * lastbyte ::= 0 7bitvalue
+      */
+     u_char buf[MAX_OID_LEN];
++    u_char *bufEnd = buf + sizeof(buf);
+     u_char *bp = buf;
+     oid *op = objid;
+     int asnlength;
+@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
+     while (objidlength-- > 0) {
+         subid = *op++;
+         if (subid < 127) {  /* off by one? */
++            if (bp >= bufEnd) {
++                snmp_set_api_error(SNMPERR_ASN_ENCODE);
++                return (NULL);
++            }
+             *bp++ = subid;
+         } else {
+             mask = 0x7F;    /* handle subid == 0 case */
+@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
+                 /* fix a mask that got truncated above */
+                 if (mask == 0x1E00000)
+                     mask = 0xFE00000;
++                if (bp >= bufEnd) {
++                    snmp_set_api_error(SNMPERR_ASN_ENCODE);
++                    return (NULL);
++                }
+                 *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
+             }
++            if (bp >= bufEnd) {
++                snmp_set_api_error(SNMPERR_ASN_ENCODE);
++                return (NULL);
++            }
+             *bp++ = (u_char) (subid & mask);
+         }
+     }
diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index b021170d9b..d445f005b7 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -11,6 +11,10 @@ SQUID_LICENSE = GPL-2.0+
 SQUID_LICENSE_FILES = COPYING
 SQUID_CPE_ID_VENDOR = squid-cache
 SQUID_SELINUX_MODULES = apache squid
+
+# 0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
+SQUID_IGNORE_CVES += CVE-2025-59362
+
 SQUID_DEPENDENCIES = libcap host-libcap libtool libxml2 host-pkgconf \
 	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
 SQUID_CONF_ENV = \