I don't think this was fixed in the last round. From Debian bug:
In /auth/sql.c there is a function sql_escape_string (...) which does
escaping of "bad" characters before feding them to DB. The problem is that
function only escapes characters ' and " (strchr ("'\"", *p)), but not \ .
Which results in problems like ... username = foo\' something being
"escaped" to username = foo \\' something which makes \ character literal
but allows escape and subsequent injection.
Solution: add \ to list of characters to be escaped.
Yep, files/mailutils-SQLinjection.patch fixes it.
Thx Ferdy, this seems to be ready for GLSA decision. I tend to vote NO.
This is CAN-2005-1824.
I tend to vote YES. It probably allows to create mail accounts by SQL injection ?
seems to only be an issue with mysql or postgres in USE ... so i think we should
have a GLSA, just make sure to note that requirement