[Git][debian-proftpd-team/proftpd][bullseye] [skip-ci] Add patch for CVE-2026-44331.

Hilmar Preuße (@hilmar) gitlab at salsa.debian.org
Wed May 6 22:37:35 BST 2026 


Hilmar Preuße pushed to branch bullseye at Debian ProFTPD Team / proftpd


Commits:
201765d0 by Hilmar Preuße at 2026-05-06T23:37:28+02:00
[skip-ci] Add patch for CVE-2026-44331.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/07797aba88dca902da7eaf1dfe262c8896943de7.diff
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,6 +1,7 @@
 proftpd-dfsg (1.3.7a+dfsg-12+deb11u6) UNRELEASED; urgency=medium
 
   * Add patch for CVE-2026-42167 (Closes: #1135119).
+  * Add patch for CVE-2026-44331 (Closes: #1135840).
 
  -- Hilmar Preuße <hille42 at debian.org>  Wed, 29 Apr 2026 22:43:03 +0200
 


=====================================
debian/patches/07797aba88dca902da7eaf1dfe262c8896943de7.diff
=====================================
@@ -0,0 +1,103 @@
+From 07797aba88dca902da7eaf1dfe262c8896943de7 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Tue, 5 May 2026 09:56:33 -0700
+Subject: [PATCH] Issue #2057: Properly escape the "name" provided when doing
+ SQL lookups for allowed/denied client IP addresses or DNS names.
+
+---
+ contrib/mod_wrap2_sql.c | 49 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 45 insertions(+), 4 deletions(-)
+
+diff --git a/contrib/mod_wrap2_sql.c b/contrib/mod_wrap2_sql.c
+index eaf6ea7dc5..d4fd56e699 100644
+--- a/contrib/mod_wrap2_sql.c
++++ b/contrib/mod_wrap2_sql.c
+@@ -1,7 +1,7 @@
+ /*
+  * ProFTPD: mod_wrap2_sql -- a mod_wrap2 sub-module for supplying IP-based
+  *                           access control data via SQL tables
+- * Copyright (c) 2002-2016 TJ Saunders
++ * Copyright (c) 2002-2026 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -25,7 +25,7 @@
+ #include "mod_wrap2.h"
+ #include "mod_sql.h"
+ 
+-#define MOD_WRAP2_SQL_VERSION		"mod_wrap2_sql/1.0"
++#define MOD_WRAP2_SQL_VERSION		"mod_wrap2_sql/1.1"
+ 
+ #define WRAP2_SQL_NSLOTS		2
+ #define WRAP2_SQL_CLIENT_QUERY_IDX	0
+@@ -62,6 +62,41 @@ static int sqltab_close_cb(wrap2_table_t *sqltab) {
+   return 0;
+ }
+ 
++static char *sqltab_get_escaped_text(pool *p, wrap2_table_t *sqltab,
++    const char *text) {
++  pool *tmp_pool = NULL;
++  cmdtable *sql_cmdtab = NULL;
++  cmd_rec *sql_cmd = NULL;
++  modret_t *sql_res = NULL;
++
++  /* Find the cmdtable for the sql_escapestr command, as the provided
++   * name needs to be properly escaped for SQL syntax; see Issue #2057.
++   */
++  sql_cmdtab = pr_stash_get_symbol2(PR_SYM_HOOK, "sql_escapestr", NULL, NULL,
++    NULL);
++  if (sql_cmdtab == NULL) {
++    wrap2_log("error: unable to find SQL hook symbol 'sql_escapestr': "
++      "perhaps your proftpd.conf needs 'LoadModule mod_sql.c'?");
++    return NULL;
++  }
++
++  sql_cmd = sql_cmd_create(tmp_pool, 1, text);
++  sql_res = pr_module_call(sql_cmdtab->m, sql_cmdtab->handler, sql_cmd);
++  if (sql_res == NULL) {
++    wrap2_log("sql_escapestr '%s' returned no data; "
++      "see the mod_sql.c SQLLogFile for more details", text);
++    return NULL;
++  }
++
++  if (MODRET_ISERROR(sql_res)) {
++    wrap2_log("error processing sql_escapestr '%s': "
++      "check the mod_sql.c SQLLogFile for more details", text);
++    return NULL;
++  }
++
++  return sql_res->data;
++}
++
+ static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
+     const char *name) {
+   register unsigned int i;
+@@ -70,12 +105,18 @@ static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
+   cmd_rec *sql_cmd = NULL;
+   modret_t *sql_res = NULL;
+   array_header *sql_data = NULL;
+-  char *query = NULL, **vals = NULL;
++  char *escaped_name = NULL, *query = NULL, **vals = NULL;
+   array_header *clients_list = NULL;
+ 
+   /* Allocate a temporary pool for the duration of this read. */
+   tmp_pool = make_sub_pool(sqltab->tab_pool);
+ 
++  escaped_name = sqltab_get_escaped_text(tmp_pool, sqltab, name);
++  if (escaped_name == NULL) {
++    destroy_pool(tmp_pool);
++    return NULL;
++  }
++
+   query = ((char **) sqltab->tab_data)[WRAP2_SQL_CLIENT_QUERY_IDX];
+ 
+   /* Find the cmdtable for the sql_lookup command. */
+@@ -89,7 +130,7 @@ static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
+   }
+ 
+   /* Prepare the SELECT query. */
+-  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, name);
++  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, escaped_name);
+ 
+   /* Call the handler. */
+   sql_res = pr_module_call(sql_cmdtab->m, sql_cmdtab->handler, sql_cmd);


=====================================
debian/patches/series
=====================================
@@ -23,3 +23,4 @@ issue-1171.patch
 CVE-2024-57392.patch
 0036-Fix-blastradius-followup.patch
 2052_pghmcfc.diff
+07797aba88dca902da7eaf1dfe262c8896943de7.diff



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/201765d03f501c566181a2e65ab10bb444916f0b

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/201765d03f501c566181a2e65ab10bb444916f0b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help

More information about the Pkg-proftpd-maintainers mailing list