[Midnightbsd-cvs] [MidnightBSD/src] deaf1e: Fix critical security vulnerabilities in libmsearc...
Lucas Holt
noreply at github.com
Thu Jun 25 22:26:09 EDT 2026
Branch: refs/heads/stable/4.1
Home: https://github.com/MidnightBSD/src
Commit: deaf1e61573aaefcdba715223ed305404cc4ea48
https://github.com/MidnightBSD/src/commit/deaf1e61573aaefcdba715223ed305404cc4ea48
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-25 (Thu, 25 Jun 2026)
Changed paths:
M lib/libmsearch/msearch_fulltext.c
M lib/libmsearch/msearch_index.c
M lib/libmsearch/msearch_search.c
Log Message:
-----------
Fix critical security vulnerabilities in libmsearch and msearch
- Fix SQL injection in msearch_index_exists() by using parameterized queries
instead of undefined %Q format specifier
- Fix format string injection in msearch_search_bind() by validating input
and using strlcpy() instead of snprintf() with user-controlled strings
- Fix path traversal vulnerability in msearch_index_path_file() by using
realpath() to resolve symlinks and check canonical paths
- Fix TOCTOU race condition in msearch_index_file() by opening files with
O_NOFOLLOW and using fstat() on the file descriptor
- Fix hardcoded library path in msearch_fulltext_open() by using a
configurable MSEARCH_EXTENSION_PATH define
All changes compile cleanly and pass existing tests.
Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe at mistral.ai>
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list