[Midnightbsd-cvs] [MidnightBSD/src] deaf1e: Fix critical security vulnerabilities in libmsearc...

Lucas Holt noreply at github.com
Thu Jun 25 22:26:09 EDT 2026


  Branch: refs/heads/stable/4.1
  Home:   https://github.com/MidnightBSD/src
  Commit: deaf1e61573aaefcdba715223ed305404cc4ea48
      https://github.com/MidnightBSD/src/commit/deaf1e61573aaefcdba715223ed305404cc4ea48
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-25 (Thu, 25 Jun 2026)

  Changed paths:
    M lib/libmsearch/msearch_fulltext.c
    M lib/libmsearch/msearch_index.c
    M lib/libmsearch/msearch_search.c

  Log Message:
  -----------
  Fix critical security vulnerabilities in libmsearch and msearch

- Fix SQL injection in msearch_index_exists() by using parameterized queries
  instead of undefined %Q format specifier
- Fix format string injection in msearch_search_bind() by validating input
  and using strlcpy() instead of snprintf() with user-controlled strings
- Fix path traversal vulnerability in msearch_index_path_file() by using
  realpath() to resolve symlinks and check canonical paths
- Fix TOCTOU race condition in msearch_index_file() by opening files with
  O_NOFOLLOW and using fstat() on the file descriptor
- Fix hardcoded library path in msearch_fulltext_open() by using a
  configurable MSEARCH_EXTENSION_PATH define

All changes compile cleanly and pass existing tests.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe at mistral.ai>



To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list