[15939] in bugtraq
Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
daemon@ATHENA.MIT.EDU (Andreas Jaeger)
Mon Jul 24 20:52:30 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <u81z0jie5e.fsf@gromit.rhein-neckar.de>
Date: Mon, 24 Jul 2000 20:20:13 +0200
Reply-To: aj@SUSE.DE
From: Andreas Jaeger <aj@SUSE.DE>
X-To: pranalukas@GMX.DE
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: "Gunadi, Prana"'s message of "Mon, 24 Jul 2000 07:28:36 +0200"
>>>>> Gunadi, Prana writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> System affected:
> =====================
> SuSE Linux 6.4
> Homepage:
> http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html
> Package name:
> =====================
> xzx-2.9.2-2.i386.rpm
> XZX is a portable emulator of ZX Spectrum 48K/128K/+3
> Problem:
> =====================
> This program tries to send an unauthorized e-mail during its RPM
> installation (PRIVACY problem) to <install@fantasy.muc.de>
> PROOF:
> =====================
> - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation entry)
That paths does not exist under SuSE 6.4, SuSE uses packages instead
of RPM. Are you sure this comes from SuSE 6.4? In that case please
send me the complete (!) spec file, I'd like to check it.
Just for the record: I checked the current spec file for the upcoming
SuSE 7.0 release and my CDs of 6.4 - both don't contain the post
section. I do agree that this shouldn't happen.
Andreas
> == xzx.spec (some snipped) ==
> %post
> set +x
> sm=`type sendmail`
> if [ $? -eq 0 ]
> then
> set ${sm}
> SENDMAIL=$3
> else
> SENDMAIL=/usr/sbin/sendmail
> fi
> if [ -x ${SENDMAIL} ]
> then
> ${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
> Subject: install notification
> Version: %{Name}-%{Version}
> Date : `date`
> User : `whoami`
> Host : `hostname`
> OS : `uname -a`
> _EOF_
> fi
> === xzx.spec (some snipped) ===
> Solution:
> Compile from its source instead of installing its RPM package
--
Andreas Jaeger
SuSE Labs aj@suse.de
private aj@arthur.inka.de
