Bugtraq mailing list archives
Re: Installation of software, and security. . .
From: Peter Keel <security () cyberlink ch>
Date: Wed, 20 Jul 2005 15:12:26 +0200
Well, since you can't be sure what a package will do, the user/admin should at least have the possibility to examine the contents of a package, manually or with virus-scanners or whatever without actually running any script or some unpack-in-place routine provided by the package itself. So far, some Installers fail this miserably: NullSoft Installer http://nsis.sourceforge.net/ The packager has complete control over any switches given to the package, and most choose not to provide an "unpack only" switch. There is no official way to unpack these packages, 7zip and the likes fail. Loki Installer http://www.lokigames.com/development/setup.php3 It seems you can give the parameter --noexec, which will probably not execute any scripts. Changing this in the prepended script would probably lead to a wrong md5-sum; but a specially prepared loki-setup would produce packets which could ignore that. So chances are slim somebody could change an already existing package, but the packager himself can do as he sees fit. And then, unpacking such a package by hand is not very feasible. For some others are third-party tools available, like http://innounp.sourceforge.net/ which you can use to examine packages by hand or plug in into your antivirus. I consider it mandatory that packages allow being unpacked in place, by a tool that is not part of the package itself. Its the least thing you can do. Regards Peter -- Operator in charge of Security Tel +41 1 287 2993 Cyberlink Internet Services AG Fax +41 1 287 2991 Richard Wagnerstrasse 6 admin () cyberlink ch CH-8002 Zuerich http://www.cyberlink.ch
Current thread:
- Installation of software, and security. . . John Richard Moser (Jul 16)
- Re: Installation of software, and security. . . Klaus Schwenk (Jul 18)
- Re: Installation of software, and security. . . John Richard Moser (Jul 18)
- Re: Installation of software, and security. . . Tim Nelson (Jul 19)
- Re: Installation of software, and security. . . Jason Coombs (Jul 19)
- RE: Installation of software, and security. . . Burton Strauss (Jul 20)
- Re: Installation of software, and security. . . John Richard Moser (Jul 20)
- Re: Installation of software, and security. . . John Richard Moser (Jul 18)
- Re: Installation of software, and security. . . Matt Beaumont (Jul 19)
- Pointless discussion (was Re: Installation of software, and security. . .) David F. Skoll (Jul 19)
- Re: Installation of software, and security. . . Klaus Schwenk (Jul 18)
- RE: Installation of software, and security. . . Burton Strauss (Jul 19)
- Re: Installation of software, and security. . . Peter Keel (Jul 20)
- Re: Installation of software, and security. . . Tino Wildenhain (Jul 19)
- Re: Installation of software, and security. . . Kerry Thompson (Jul 19)
- RE: Installation of software, and security. . . Burton Strauss (Jul 19)
- Re: Installation of software, and security. . . David F. Skoll (Jul 19)
- <Possible follow-ups>
- RE: Installation of software, and security. . . Glenn.Everhart (Jul 20)