[15926] in bugtraq
Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
daemon@ATHENA.MIT.EDU (Gunadi, Prana)
Mon Jul 24 13:19:30 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <29303.964416516@www26.gmx.net>
Date: Mon, 24 Jul 2000 07:28:36 +0200
Reply-To: pranalukas@GMX.DE
From: "Gunadi, Prana" <pranalukas@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
System affected:
=====================
SuSE Linux 6.4
Homepage:
http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html
Package name:
=====================
xzx-2.9.2-2.i386.rpm
XZX is a portable emulator of ZX Spectrum 48K/128K/+3
Problem:
=====================
This program tries to send an unauthorized e-mail during its RPM
installation (PRIVACY problem) to <install@fantasy.muc.de>
PROOF:
=====================
- From the file /usr/src/RPM/SPECS/xzx.spec (the post installation entry)
== xzx.spec (some snipped) ==
%post
set +x
sm=`type sendmail`
if [ $? -eq 0 ]
then
set ${sm}
SENDMAIL=$3
else
SENDMAIL=/usr/sbin/sendmail
fi
if [ -x ${SENDMAIL} ]
then
${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
Subject: install notification
Version: %{Name}-%{Version}
Date : `date`
User : `whoami`
Host : `hostname`
OS : `uname -a`
_EOF_
fi
=== xzx.spec (some snipped) ===
Solution:
Compile from its source instead of installing its RPM package
- --
Prana <pranalukas@gmx.de>
http://cyest.hypermart.net
My GnuPG Key ID: 0x33343FD3 (2000-07-21)
Key fingerprint = F1FB 1F76 8866 0F40 A801 D9DA 6BED 6641 3334 3FD3
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Made with Geheimnis
iD8DBQE5e9W2a+1mQTM0P9MRAg3qAJ99Zf18fY9LYscIPfEFPfqfQFxOAgCeNcdZ
XxzcWlviLUn0mESoz9IWi+s=
=J9RT
-----END PGP SIGNATURE-----
--
Sent through GMX FreeMail - http://www.gmx.net
