[Git][debian-proftpd-team/proftpd][master] Another patch for upstream_2052.
Hilmar Preuße (@hilmar)
gitlab at salsa.debian.org
Tue May 19 19:34:52 BST 2026
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
e25d91ce by Hilmar Preuße at 2026-05-19T20:34:44+02:00
Another patch for upstream_2052.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/1a5ce6467756e92f42f89c53f0f370dc0f0206d7.diff
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,6 +1,6 @@
proftpd-dfsg (1.3.9a~dfsg-2) UNRELEASED; urgency=medium
- * Two more patches for upstream_2052.
+ * Three more patches for upstream_2052.
* B-D: default-libmysqlclient-dev => libmariadb-dev-compat
* Upgrade d/watch file to version 5.
=====================================
debian/patches/1a5ce6467756e92f42f89c53f0f370dc0f0206d7.diff
=====================================
@@ -0,0 +1,27 @@
+From 1a5ce6467756e92f42f89c53f0f370dc0f0206d7 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Tue, 19 May 2026 08:01:11 -0700
+Subject: [PATCH] Issue #2052: Address another avenue for SQL injection, via
+ custom SQLUserInfo queries.
+
+---
+ contrib/mod_sql.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/mod_sql.c b/contrib/mod_sql.c
+index b90725942..d28b483d1 100644
+--- a/contrib/mod_sql.c
++++ b/contrib/mod_sql.c
+@@ -1999,8 +1999,11 @@ static struct passwd *sql_getpasswd(cmd_rec *cmd, struct passwd *p) {
+ }
+
+ } else {
++ /* The username has been escaped according to the backend database' rules
++ * at this point.
++ */
+ mr = sql_lookup(sql_make_cmd(cmd->tmp_pool, 3, MOD_SQL_DEF_CONN_NAME,
+- cmap.usercustom, realname ? realname : "NULL"));
++ cmap.usercustom, username ? username : "NULL"));
+
+ if (check_response(mr, 0) < 0) {
+ return NULL;
=====================================
debian/patches/series
=====================================
@@ -14,3 +14,4 @@ odbc
07797aba88dca902da7eaf1dfe262c8896943de7.diff
04d89957d8ace325ef76fdfab22049df16a40c0b.diff
7e076e844ab5da63a0887b875aca2c3cfbc83a49.diff
+1a5ce6467756e92f42f89c53f0f370dc0f0206d7.diff
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/e25d91cebfceb3f72e1e66f1786adae8835eb8bd
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/e25d91cebfceb3f72e1e66f1786adae8835eb8bd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
More information about the Pkg-proftpd-maintainers
mailing list