Version in base suite: 5.21.4-1

Base version: libphp-adodb_5.21.4-1
Target version: libphp-adodb_5.21.4-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libp/libphp-adodb/libphp-adodb_5.21.4-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libp/libphp-adodb/libphp-adodb_5.21.4-1+deb12u1.dsc

 changelog                                    |    7 +++++
 patches/00-fix-sec-pgsql-sql-injection.patch |   33 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 41 insertions(+)

diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog	2022-03-12 14:11:01.000000000 +0000
+++ libphp-adodb-5.21.4/debian/changelog	2025-05-06 21:39:03.000000000 +0000
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload.
+    + Fix SQL injection in pg_insert_id(). (Closes: #1104548, CVE-2025-46337)
+
+ -- Leandro Cunha <leandrocunha016@gmail.com>  Tue, 06 May 2025 18:39:03 -0300
+
 libphp-adodb (5.21.4-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #1004376)
diff -Nru libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch
--- libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	1970-01-01 00:00:00.000000000 +0000
+++ libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	2025-05-06 21:39:03.000000000 +0000
@@ -0,0 +1,33 @@
+Description: Fix SQL injection in pg_insert_id()
+ Properly escape the $tablename and $fieldname parameters used to build
+ the sequence name.
+Forwarded: https://github.com/ADOdb/ADOdb/issues/1070
+Origin: https://github.com/ADOdb/ADOdb/commit/0774134f3311779495d16f74a35c872e353708c6.patch
+Bug-Debian: https://bugs.debian.org/1104548
+Author: Damien Regad <dregad@mantisbt.org>
+
+From 11107d6d6e5160b62e05dff8a3a2678cf0e3a426 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 26 Apr 2025 17:45:53 +0200
+Subject: [PATCH 1/2] Fix SQL injection in pg_insert_id()
+
+Properly escape the $tablename and $fieldname parameters used to build
+the sequence name.
+---
+ drivers/adodb-postgres64.inc.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
+index b1d161d7c..5cbe77ed2 100644
+--- a/drivers/adodb-postgres64.inc.php
++++ b/drivers/adodb-postgres64.inc.php
+@@ -138,7 +138,8 @@ function IfNull( $field, $ifNull )
+ 	// get the last id - never tested
+ 	function pg_insert_id($tablename,$fieldname)
+ 	{
+-		$result=pg_query($this->_connectionID, 'SELECT last_value FROM '. $tablename .'_'. $fieldname .'_seq');
++		$sequence = pg_escape_identifier($this->_connectionID, $tablename .'_'. $fieldname .'_seq');
++		$result = pg_query($this->_connectionID, 'SELECT last_value FROM '. $sequence);
+ 		if ($result) {
+ 			$arr = @pg_fetch_row($result,0);
+ 			pg_free_result($result);
diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libphp-adodb-5.21.4/debian/patches/series	2025-05-06 21:39:03.000000000 +0000
@@ -0,0 +1 @@
+00-fix-sec-pgsql-sql-injection.patch