Hello team, I'm very sorry I didn't report this before, as I should have.
A week ago, Primoz reported a vulnerability in the SQL authentication module in mailutils. The details are in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308031 The patch that was applied for Debian sarge (woody, luckily, wasn't affected as it wasn't compiling this code at that time) is attached. Thanks, Jordi -- Jordi Mallach Pérez -- Debian developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/
--- auth/sql.c.orig 2005-03-08 14:24:11.000000000 -0800
+++ auth/sql.c 2005-05-13 19:12:38.000000000 -0700
@@ -74,7 +74,7 @@
for (p = (const unsigned char *) ustr; *p; p++)
{
- if (strchr ("'\"", *p))
+ if (strchr ("'\"\\", *p))
len++;
}
@@ -84,7 +84,7 @@
for (p = (const unsigned char *) ustr, q = str; *p; p++)
{
- if (strchr ("'\"", *p))
+ if (strchr ("'\"\\", *p))
*q++ = '\\';
*q++ = *p;
}
signature.asc
Description: Digital signature
_______________________________________________ Bug-mailutils mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-mailutils
