www/dotproject out of date and vulnerable

[Fred Cox]

--- Kris Kennaway <kris at obsecurity.org> wrote:

> On Tue, Sep 19, 2006 at 06:02:52PM -0700, Fred Cox
> wrote:
> > --- Kris Kennaway <kris at obsecurity.org> wrote:
> > 
> > > On Tue, Sep 19, 2006 at 05:15:45PM -0700, Fred
> Cox
> > > wrote:
> > > 
> > > > Actually, it doesn't.  It goes ahead and
> installs
> > > it,
> > > > even though I specified these:
> > > > 
> > > > WITH_MYSQL=     yes
> > > > WANT_MYSQL_VER= 323
> > > > IGNORE_WITH_MYSQL=5
> > > > 
> > > > Starting with a system that had no MySQL or
> PHP
> > > > installed on it, I did a make install in the
> > > > dotproject port with the Makefile and distinfo
> I
> > > > specified earlier.
> > > > 
> > > > It seems to look for mysql.so, and if that's
> > > found, it
> > > > doesn't worry about the version.
> > > 
> > > OK, so it's just silently broken, which is
> worse.
> > > 
> > 
> > It's still better than the current situation.
> 
> Publishing packages that will not run because
> they're linked to the
> wrong libraries is, again, not my idea of "better".
> 

There is no linkage problem.  It's a client/server
problem.

PHP4 is perfectly happy being linked with the MySQL 5
client libraries, it's the database server that needs
to be 3.23.  The SQL used in dotProject is legal for
3.23, but not 5.

> > > > See the log at http://fcox.net/dp.log, when no
> > > mysql
> > > > or php was installed on the system.
> > > > 
> > > > Perhaps this is a bug in the dependencies
> system.
> > > 
> > > Dunno without investigating.  Anyway, the
> correct
> > > solution is the
> > > same.
> > > 
> > 
> > OK, so if you had a pointer on how to depend on
> that
> > alternate version, it would help.
> 
> Copy the php4-mysql port to php4-mysql3 and make the
> presumably
> trivial change to make it use mysql 3 instead of
> whatever the default
> is.
> 

It's not trivial.  The current Makefile is trivial,
but a change to do what you're suggesting will need to
be more complex.

Here's the current php4-mysql Makefile:

CATEGORIES=     databases

MASTERDIR=      ${.CURDIR}/../../lang/php4

PKGNAMESUFFIX=  -mysql

.include "${MASTERDIR}/Makefile"

The ${MASTERDIR}/Makefile doesn't refer to mysql at
all.

Personally, I don't see how it knows it's supposed to
link MySQL in there.  Perhaps it's because PHP4
defaults to including MySQL support, so this isn't
really doing anything.  I haven't read far enough to
know for sure.

> >  Right now, the
> > dependencies are specified with the WITH and
> IGNORE
> > variables, but it seems that with your proposal I
> > won't be able to do that.  Maybe tonight I will
> fall
> > asleep reading the Porter's Handbook.
> 
> OK.
> 
> Kris
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com