Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 94824 - net-mail/mailutils sql injection
Summary: net-mail/mailutils sql injection
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B3? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-02 07:15 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-06-06 11:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-06-02 07:15:35 UTC
I don't think this was fixed in the last round. From Debian bug:

In /auth/sql.c there is a function sql_escape_string (...) which does
escaping of "bad" characters before feding them to DB. The problem is that
function only escapes characters ' and " (strchr ("'\"", *p)), but not \ .
Which results in problems like ... username = foo\' something being
"escaped" to username = foo \\' something which makes \ character literal
but allows escape and subsequent injection.

Solution: add \ to list of characters to be escaped.

Primoz Bratanic
Comment 1 Fernando J. Pereda (RETIRED) gentoo-dev 2005-06-02 14:08:48 UTC
Yep, files/mailutils-SQLinjection.patch fixes it.

Cheers,
Ferdy
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-02 22:18:30 UTC
Thx Ferdy, this seems to be ready for GLSA decision. I tend to vote NO. 
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-03 00:44:32 UTC
This is CAN-2005-1824.
I tend to vote YES. It probably allows to create mail accounts by SQL injection ?
Comment 4 solar (RETIRED) gentoo-dev 2005-06-04 05:04:17 UTC
yes vote
Comment 5 SpanKY gentoo-dev 2005-06-04 21:12:02 UTC
seems to only be an issue with mysql or postgres in USE ... so i think we should
have a GLSA, just make sure to note that requirement
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-06 11:07:11 UTC
GLSA 200506-02