| Summary: | net-mail/mailutils sql injection | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | net-mail+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Other | ||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308031 | ||
| Whiteboard: | B3? [glsa] jaervosz | ||
| Package list: | Runtime testing required: | --- | |
Yep, files/mailutils-SQLinjection.patch fixes it. Cheers, Ferdy Thx Ferdy, this seems to be ready for GLSA decision. I tend to vote NO. This is CAN-2005-1824. I tend to vote YES. It probably allows to create mail accounts by SQL injection ? yes vote seems to only be an issue with mysql or postgres in USE ... so i think we should have a GLSA, just make sure to note that requirement GLSA 200506-02 |
I don't think this was fixed in the last round. From Debian bug: In /auth/sql.c there is a function sql_escape_string (...) which does escaping of "bad" characters before feding them to DB. The problem is that function only escapes characters ' and " (strchr ("'\"", *p)), but not \ . Which results in problems like ... username = foo\' something being "escaped" to username = foo \\' something which makes \ character literal but allows escape and subsequent injection. Solution: add \ to list of characters to be escaped. Primoz Bratanic