Bug#409141: Package non-SQL library, please

Mon, 23 Nov 2015 19:36:27 -0800 

submitter 409141 ehem+deb...@m5p.com
found 409141 1:0.6.1-4sarge2
found 409141 1:2.1+dfsg1-7
found 409141 1:2.99.97-3
found 409141 1:2.99.98-2
found 409141 1:2.99.98-2+b1
stop

Still no progress on this decade old issue?  I'll admit MySQL's security
has greatly improved to merely being poor, rather than horrific, but I
still don't want to have this major attack vector on my systems.

I'm attaching patches pointing towards 2 partial solutions.  The first
pair demonstrate what I (and I suspect others) desire, completely
removing all SQL for a distinct security improvement.  For others who
encounter this do `apt-get source mailutils;
patch -p0 < patch-2.99.98-2-nosql.patch; cd mailutils-2.99.98;
dpkg-buildpackage -b` and you'll have mailutils without the MySQL
dependency.  Of the resultant packages, only libmailutils4 needs to be
replaced to allow removal of MySQL.

For the audience who still desire SQL support, I suspect the last patch
will be viewed as a substantial improvement to the packaging.  The
approach is to simply build based on unixodbc/libodbc1.  This removes the
fixed dependency on libmysqlclient18 and all its attendant security
holes.  This also opens the opportunity to make use of PostgreSQL instead
of MySQL.

My ideal approach would be to have dual-builds of libmailutils, one build
including SQL support and one build being without SQL support.  I'm
unsure of the correct way to make the Debian tools do this, but I doubt
it would be /that/ difficult.  The result would be to create
libmailutils4-odbc and libmailutils4-nosql packages.

I'm a bit worried about the potential security level of some of the more
recently added dependencies of the mailutils packaging, but all of these
pale in comparison to the problem of MySQL.


Note, even though building based upon ODBC is somewhat less than optimal
IMO, building based on ODBC *does* in fact accomplish the feat requested
in bugs #253115, #307458, and #409141.  This approach also allows people
to continue using MySQL if so desired.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sig...@m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445



diff -ruN mailutils-2.99.97.orig/debian/control mailutils-2.99.97/debian/control
--- mailutils-2.99.97.orig/debian/control	2012-06-22 13:09:26.000000000 -0700
+++ mailutils-2.99.97/debian/control	2015-11-22 19:44:45.000000000 -0800
@@ -26,7 +26,6 @@
                libldap2-dev,
                liblocale-gettext-perl,
                libltdl-dev,
-               libmysqlclient-dev,
                libpam0g-dev,
                libreadline-dev,
                libwrap0-dev,
diff -ruN mailutils-2.99.97.orig/debian/rules mailutils-2.99.97/debian/rules
--- mailutils-2.99.97.orig/debian/rules	2012-06-22 14:11:05.000000000 -0700
+++ mailutils-2.99.97/debian/rules	2015-11-22 19:45:05.000000000 -0800
@@ -33,7 +33,7 @@
 	--with-lispdir=\$${prefix}/share/emacs/site-lisp \
 	--enable-virtual-domains --enable-mh \
 	--with-gnutls --with-gdbm --with-gssapi --with-gsasl \
-	--with-mysql --disable-rpath --disable-static \
+	--disable-rpath --disable-static \
 	--disable-cxx --disable-nntp \
 	--program-transform-name='s/^mu$$/mu-tool/'
 

diff -ruN mailutils-2.99.98.orig/debian/control mailutils-2.99.98/debian/control
--- mailutils-2.99.98.orig/debian/control	2014-10-07 09:59:27.000000000 -0700
+++ mailutils-2.99.98/debian/control	2015-11-22 21:00:38.000000000 -0800
@@ -21,7 +21,6 @@
                libldap2-dev,
                liblocale-gettext-perl,
                libltdl-dev,
-               libmysqlclient-dev,
                libpam0g-dev,
                libreadline-dev,
                libwrap0-dev,
diff -ruN mailutils-2.99.98.orig/debian/rules mailutils-2.99.98/debian/rules
--- mailutils-2.99.98.orig/debian/rules	2014-10-03 01:06:40.000000000 -0700
+++ mailutils-2.99.98/debian/rules	2015-11-22 21:00:30.000000000 -0800
@@ -36,7 +36,7 @@
 	--with-lispdir=\$${prefix}/share/emacs/site-lisp \
 	--enable-virtual-domains --enable-mh --enable-python \
 	--with-gnutls --with-kyotocabinet --with-gssapi --with-gsasl \
-	--with-mysql --disable-rpath --disable-static \
+	--disable-rpath --disable-static \
 	--disable-cxx --disable-nntp \
 	--program-transform-name='s/^mu$$/mu-tool/'
 

diff -ruN mailutils-2.99.98.orig/debian/control mailutils-2.99.98/debian/control
--- mailutils-2.99.98.orig/debian/control	2014-10-07 09:59:27.000000000 -0700
+++ mailutils-2.99.98/debian/control	2015-11-22 20:59:58.000000000 -0800
@@ -21,12 +21,12 @@
                libldap2-dev,
                liblocale-gettext-perl,
                libltdl-dev,
-               libmysqlclient-dev,
                libpam0g-dev,
                libreadline-dev,
                libwrap0-dev,
                python-dev (>= 2.6.6-3~),
                texinfo,
+               unixodbc-dev,
                zlib1g-dev
 Standards-Version: 3.9.6
 Vcs-Svn: svn://anonscm.debian.org/pkg-mailutils/trunk/
diff -ruN mailutils-2.99.98.orig/debian/rules mailutils-2.99.98/debian/rules
--- mailutils-2.99.98.orig/debian/rules	2014-10-03 01:06:40.000000000 -0700
+++ mailutils-2.99.98/debian/rules	2015-11-22 20:59:17.000000000 -0800
@@ -36,7 +36,7 @@
 	--with-lispdir=\$${prefix}/share/emacs/site-lisp \
 	--enable-virtual-domains --enable-mh --enable-python \
 	--with-gnutls --with-kyotocabinet --with-gssapi --with-gsasl \
-	--with-mysql --disable-rpath --disable-static \
+	--with-odbc=odbc --disable-rpath --disable-static \
 	--disable-cxx --disable-nntp \
 	--program-transform-name='s/^mu$$/mu-tool/'

Reply via email to