I don't think this was fixed in the last round. From Debian bug: In /auth/sql.c there is a function sql_escape_string (...) which does escaping of "bad" characters before feding them to DB. The problem is that function only escapes characters ' and " (strchr ("'\"", *p)), but not \ . Which results in problems like ... username = foo\' something being "escaped" to username = foo \\' something which makes \ character literal but allows escape and subsequent injection. Solution: add \ to list of characters to be escaped. Primoz Bratanic
Yep, files/mailutils-SQLinjection.patch fixes it. Cheers, Ferdy
Thx Ferdy, this seems to be ready for GLSA decision. I tend to vote NO.
This is CAN-2005-1824. I tend to vote YES. It probably allows to create mail accounts by SQL injection ?
yes vote
seems to only be an issue with mysql or postgres in USE ... so i think we should have a GLSA, just make sure to note that requirement
GLSA 200506-02