The title sayd it all ;) content of the attachment (next message): qpopper-4.0.5-r1.ebuild qpopper-4.0.5-r1.ebuild.patch files/qpopper-mysql-4.1-0.13.patch --------- WARNING!!! --------- 1) the files/qpopper-mysql-4.1-0.13.patch has been modified to compile under mysql-4.1, the function "hash_password" has been renamed as "qp_hash_password" because of a conflict with mysql one. This has *not* been tested. So if in doubt please attach the original patch from the url above and mask for <dev-db/mysql-4.1 2) a first try to compile with USE="-gdbm" has failed, this seems not to be related to the mysql patch but I've not tested it. 3) saying all the truth still not tested running, I will give it a try this week. emerge -pv qpopper ;qpkg -l qpopper [ebuild R ] net-mail/qpopper-4.0.5-r1 -debug +gdbm -mailbox +mysql -pam +ssl +xinetd 0 kB [1] net-mail/qpopper-4.0.5-r1 * CONTENTS: /etc /etc/xinetd.d /etc/xinetd.d/pop-3 /etc/mail /etc/mail/certs /etc/mail/certs/cert.pem /usr /usr/share /usr/share/man /usr/share/man/man8 /usr/share/man/man8/popper.8.gz /usr/share/man/man8/popauth.8.gz /usr/share/doc /usr/share/doc/qpopper-4.0.5-r1 /usr/share/doc/qpopper-4.0.5-r1/rfc /usr/share/doc/qpopper-4.0.5-r1/rfc/rfc2449.txt.gz /usr/share/doc/qpopper-4.0.5-r1/rfc/rfc1939.txt.gz /usr/share/doc/qpopper-4.0.5-r1/GUIDE.pdf.gz /usr/share/doc/qpopper-4.0.5-r1/mysql-popper.conf.gz /usr/share/doc/qpopper-4.0.5-r1/README.MYSQL.gz /usr/share/doc/qpopper-4.0.5-r1/README.MAILDIR.gz /usr/share/doc/qpopper-4.0.5-r1/README.gz /usr/share/doc/qpopper-4.0.5-r1/example-mysql-configure.txt.gz /usr/share/doc/qpopper-4.0.5-r1/example-maildir-configure.txt.gz /usr/sbin /usr/sbin/popper /usr/sbin/popauth
Created attachment 50004 [details] qpopper-mysql.tar.gz
:oops: 1) in the ebuild: < --with-mysqlconfig=/etc/mysql/my.cnf > --with-mysqlconfig=/etc/mail/mysql-popper.conf 2) qpopper.config is not copied
Ok, it work fine. Still using cleartext password. Also tested SQL injection, the sql from the user is like this: SELECT clear,active FROM mailbox WHERE username= 'username@mydomain.com' so the inject tested was 1) "' OR true" without double quotes, this give an error to the client and the sql is not passed to the mysql server. 2) "'", this is accepted but slash is added like "\'" and it's a well formed query qpopper.config is not copied this remain, but I'm sure that a gentoo-dev can see istantly the error. thanks
Please, provide both diffs (ebuild's diff and the actual patch) as attachments. Never attach tarballs to bugzilla. Anyway, we normally don't like supporting 3rd party patches. I think the first approach should be trying to get upstream to apply these patches. Cheers, Ferdy
The original attachment provide three files, the modified ebuild, the diffs from the original ebuild and the modified one, the patch that add mysql support to qpopper. For the moment I've choosen to use courier which has natively support for mysql and it's already in portage. Regards
Since we don't normally support third party patches, its upstream task to decide whether to include it or not. Cheers, Ferdy
