From 8433e9adea1d41981177caee43726152b719c648 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Wed, 6 May 2026 21:50:47 +0200
Subject: [PATCH] CVE-2026-44072: cnid_dbd: abort on chdir failure before
 system()

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/cnid_dbd/main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/etc/cnid_dbd/main.c b/etc/cnid_dbd/main.c
index 3128bbc8c..164a9d694 100644
--- a/etc/cnid_dbd/main.c
+++ b/etc/cnid_dbd/main.c
@@ -234,8 +234,9 @@ static int delete_db(void)
     EC_NEG1(cwd = open(".", O_RDONLY));
 
     if (chdir(cfrombstr(dbpath)) < 0) {
-        LOG(log_error, logtype_cnid, "delete_db: could not chdir to \"%s\"", dbpath,
-            strerror(errno));
+        LOG(log_error, logtype_cnid, "delete_db: could not chdir to \"%s\": %s",
+            bdata(dbpath), strerror(errno));
+        EC_FAIL;
     }
 
     if (system("rm -f cnid2.db lock log.* __db.*") < 0) {