Bugtraq mailing list archives
Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
From: Roman Drahtmueller <draht () SUSE DE>
Date: Mon, 24 Jul 2000 20:23:20 +0200
System affected: ===================== SuSE Linux 6.4
Not at all. The SuSE xzx package on SuSE-6.4 or other versions don't contain the said postinstall script. See below.
Homepage: http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html Package name: ===================== xzx-2.9.2-2.i386.rpm XZX is a portable emulator of ZX Spectrum 48K/128K/+3 Problem: ===================== This program tries to send an unauthorized e-mail during its RPM installation (PRIVACY problem) to <install () fantasy muc de>
The script from Prana's mail belongs to the rpm package that is supplied by the author and is available at http://www.philosys.de/~kunze/xzx/?dl . There is not the slightest connection between the package on the distribution and the one on (Erik Kunze <Erik.Kunze () fantasy muc de>)'s website. If there are any reproaches then direct them to the author. I must confirm that this script isn't state of the art in terms of good manners. "PROOF:" Download the rpm and verify the postinstall script using rpm -qp --scripts xzx-2.9.2-2.i386.rpm Compare this with the postinstall script in the SuSE package. By consequence, the "Solution" suggestion below is exactly the contrary to what would be advisable. * First off, it would have been good style to contact SuSE security under security () suse de _prior_ to spread such information. This didn't happen, and possible damage could have been avoided. Secondly, reputation is very fragile in this business. This is also the case for private persons who don't use half-anonymous freemail providers to voice themselves. Please be fair with your statements and double-check each word. A statement is difficult to retract as soon as it's written and published. Thanks, Roman Drahtmüller, SuSE Security. -- - - | Roman Drahtmüller <draht () suse de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
PROOF: ===================== - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation entry) == xzx.spec (some snipped) == %post set +x sm=`type sendmail` if [ $? -eq 0 ] then set ${sm} SENDMAIL=$3 else SENDMAIL=/usr/sbin/sendmail fi if [ -x ${SENDMAIL} ] then ${SENDMAIL} install () fantasy muc de 2>/dev/null <<- _EOF_ Subject: install notification Version: %{Name}-%{Version} Date : `date` User : `whoami` Host : `hostname` OS : `uname -a` _EOF_ fi === xzx.spec (some snipped) === Solution: Compile from its source instead of installing its RPM package - -- Prana <pranalukas () gmx de> http://cyest.hypermart.net My GnuPG Key ID: 0x33343FD3 (2000-07-21) Key fingerprint = F1FB 1F76 8866 0F40 A801 D9DA 6BED 6641 3334 3FD3 http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: Made with Geheimnis iD8DBQE5e9W2a+1mQTM0P9MRAg3qAJ99Zf18fY9LYscIPfEFPfqfQFxOAgCeNcdZ XxzcWlviLUn0mESoz9IWi+s= =J9RT -----END PGP SIGNATURE----- -- Sent through GMX FreeMail - http://www.gmx.net
Gruß, Roman Drahtmüller. -- - - | Roman Drahtmüller <draht () suse de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
Current thread:
- Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4 Gunadi, Prana (Jul 24)
- Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4 Roman Drahtmueller (Jul 24)
- Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4 Gunadi, Prana (Jul 26)
- Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4 Andreas Jaeger (Jul 24)
- Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4 Roman Drahtmueller (Jul 24)