[rpms/proftpd] f43: Address another avenue for SQL injection, via custom SQLUserInfo queries

[Paul Howarth <paul@city-fan.org>]

A new commit has been pushed.

Repo   : rpms/proftpd
Branch : f43
Commit : d1dff165e1a0a24198402deaf3fcee27c28d22e8
Author : Paul Howarth <paul@city-fan.org>
Date   : 2026-05-20T09:35:59+01:00
Stats  : +35/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/proftpd/c/d1dff165e1a0a24198402deaf3fcee27c28d22e8?branch=f43

Log:
Address another avenue for SQL injection, via custom SQLUserInfo queries

---
diff --git a/1a5ce646.patch b/1a5ce646.patch
new file mode 100644
index 0000000..e4a7168
--- /dev/null
+++ b/1a5ce646.patch
@@ -0,0 +1,27 @@
+From 1a5ce6467756e92f42f89c53f0f370dc0f0206d7 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Tue, 19 May 2026 08:01:11 -0700
+Subject: [PATCH] Issue #2052: Address another avenue for SQL injection, via
+ custom SQLUserInfo queries.
+
+---
+ contrib/mod_sql.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/mod_sql.c b/contrib/mod_sql.c
+index b90725942..d28b483d1 100644
+--- a/contrib/mod_sql.c
++++ b/contrib/mod_sql.c
+@@ -1999,8 +1999,11 @@ static struct passwd *sql_getpasswd(cmd_rec *cmd, struct passwd *p) {
+       }
+ 
+     } else {
++      /* The username has been escaped according to the backend database' rules
++       * at this point.
++       */
+       mr = sql_lookup(sql_make_cmd(cmd->tmp_pool, 3, MOD_SQL_DEF_CONN_NAME,
+-        cmap.usercustom, realname ? realname : "NULL"));
++        cmap.usercustom, username ? username : "NULL"));
+ 
+       if (check_response(mr, 0) < 0) {
+         return NULL;

diff --git a/proftpd.spec b/proftpd.spec
index d36609c..6f20396 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -17,7 +17,7 @@
 %undefine _strict_symbol_defs_build
 
 #global prever rc4
-%global baserelease 2
+%global baserelease 3
 %global mod_proxy_version 0.9.5
 %global mod_vroot_version 0.9.12
 
@@ -47,6 +47,7 @@ Patch11:		https://github.com/proftpd/proftpd/commit/04d89957.patch
 Patch12:		https://github.com/proftpd/proftpd/commit/7e076e84.patch
 Patch13:		https://github.com/proftpd/proftpd/commit/07797aba.patch
 Patch14:		https://github.com/proftpd/proftpd/commit/5e06acc4.patch
+Patch15:		https://github.com/proftpd/proftpd/commit/1a5ce646.patch
 
 BuildRequires:		coreutils
 BuildRequires:		gcc
@@ -239,6 +240,9 @@ mv contrib/README contrib/README.contrib
 %patch -P 13 -p1
 %patch -P 14 -p1
 
+# Address another avenue for SQL injection, via custom SQLUserInfo queries
+%patch -P 15 -p1
+
 # Tweak logrotate script for systemd compatibility (#802178)
 sed -i -e '/killall/s/test.*/systemctl try-reload-or-restart proftpd.service/' \
 	contrib/dist/rpm/proftpd.logrotate
@@ -476,6 +480,9 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Tue May 19 2026 Paul Howarth <paul@city-fan.org> - 1.3.9a-3
+- Address another avenue for SQL injection, via custom SQLUserInfo queries
+
 * Mon May 11 2026 Paul Howarth <paul@city-fan.org> - 1.3.9a-2
 - Additional escaping for avoidance of SQL injection issues with %%{note:...}
   and %%{env:...}; these are on top of the existing fix for CVE-2026-42167 in