Squid Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability - CVE-2019-12525

An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication it parses the header Proxy-Authorization. It searches for certain tokens such as domain uri and qop. Squid checks if this token39s value starts with a quote and ends with one. If so it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements) leading to a memcpy of its length minus 1.