public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/proftpd] f43: Address another avenue for SQL injection, via custom SQLUserInfo queries
@ 2026-06-08 15:35 Paul Howarth
0 siblings, 0 replies; only message in thread
From: Paul Howarth @ 2026-06-08 15:35 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/proftpd
Branch : f43
Commit : d1dff165e1a0a24198402deaf3fcee27c28d22e8
Author : Paul Howarth <paul@city-fan.org>
Date : 2026-05-20T09:35:59+01:00
Stats : +35/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/proftpd/c/d1dff165e1a0a24198402deaf3fcee27c28d22e8?branch=f43
Log:
Address another avenue for SQL injection, via custom SQLUserInfo queries
---
diff --git a/1a5ce646.patch b/1a5ce646.patch
new file mode 100644
index 0000000..e4a7168
--- /dev/null
+++ b/1a5ce646.patch
@@ -0,0 +1,27 @@
+From 1a5ce6467756e92f42f89c53f0f370dc0f0206d7 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Tue, 19 May 2026 08:01:11 -0700
+Subject: [PATCH] Issue #2052: Address another avenue for SQL injection, via
+ custom SQLUserInfo queries.
+
+---
+ contrib/mod_sql.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/mod_sql.c b/contrib/mod_sql.c
+index b90725942..d28b483d1 100644
+--- a/contrib/mod_sql.c
++++ b/contrib/mod_sql.c
+@@ -1999,8 +1999,11 @@ static struct passwd *sql_getpasswd(cmd_rec *cmd, struct passwd *p) {
+ }
+
+ } else {
++ /* The username has been escaped according to the backend database' rules
++ * at this point.
++ */
+ mr = sql_lookup(sql_make_cmd(cmd->tmp_pool, 3, MOD_SQL_DEF_CONN_NAME,
+- cmap.usercustom, realname ? realname : "NULL"));
++ cmap.usercustom, username ? username : "NULL"));
+
+ if (check_response(mr, 0) < 0) {
+ return NULL;
diff --git a/proftpd.spec b/proftpd.spec
index d36609c..6f20396 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -17,7 +17,7 @@
%undefine _strict_symbol_defs_build
#global prever rc4
-%global baserelease 2
+%global baserelease 3
%global mod_proxy_version 0.9.5
%global mod_vroot_version 0.9.12
@@ -47,6 +47,7 @@ Patch11: https://github.com/proftpd/proftpd/commit/04d89957.patch
Patch12: https://github.com/proftpd/proftpd/commit/7e076e84.patch
Patch13: https://github.com/proftpd/proftpd/commit/07797aba.patch
Patch14: https://github.com/proftpd/proftpd/commit/5e06acc4.patch
+Patch15: https://github.com/proftpd/proftpd/commit/1a5ce646.patch
BuildRequires: coreutils
BuildRequires: gcc
@@ -239,6 +240,9 @@ mv contrib/README contrib/README.contrib
%patch -P 13 -p1
%patch -P 14 -p1
+# Address another avenue for SQL injection, via custom SQLUserInfo queries
+%patch -P 15 -p1
+
# Tweak logrotate script for systemd compatibility (#802178)
sed -i -e '/killall/s/test.*/systemctl try-reload-or-restart proftpd.service/' \
contrib/dist/rpm/proftpd.logrotate
@@ -476,6 +480,9 @@ fi
%{_mandir}/man1/ftpwho.1*
%changelog
+* Tue May 19 2026 Paul Howarth <paul@city-fan.org> - 1.3.9a-3
+- Address another avenue for SQL injection, via custom SQLUserInfo queries
+
* Mon May 11 2026 Paul Howarth <paul@city-fan.org> - 1.3.9a-2
- Additional escaping for avoidance of SQL injection issues with %%{note:...}
and %%{env:...}; these are on top of the existing fix for CVE-2026-42167 in
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-08 15:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-08 15:35 [rpms/proftpd] f43: Address another avenue for SQL injection, via custom SQLUserInfo queries Paul Howarth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox