[15965] in bugtraq
Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
daemon@ATHENA.MIT.EDU (Gunadi, Prana)
Wed Jul 26 14:49:05 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <13458.964578720@www24.gmx.net>
Date: Wed, 26 Jul 2000 04:32:00 +0200
Reply-To: pranalukas@GMX.DE
From: "Gunadi, Prana" <pranalukas@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, I must apologize to SuSE security because my earlier e-mail was
inaccurate. I've just double-checked it today and I found out that it was the
original package xzx-2.9.2-2.i386.rpm from
http://www.philosys.de/~kunze/xzx/?dl that contains the post-install script -- not the xzx package from SuSE
6.4.
> Not at all. The SuSE xzx package on SuSE-6.4 or other versions don't
> contain the said postinstall script. See below.
> >
> > Problem:
> > =====================
> > This program tries to send an unauthorized e-mail during its RPM
> > installation (PRIVACY problem) to <install@fantasy.muc.de>
>
> The script from Prana's mail belongs to the rpm package that is supplied
> by the author and is available at http://www.philosys.de/~kunze/xzx/?dl
> .
> There is not the slightest connection between the package on the
> distribution and the one on (Erik Kunze <Erik.Kunze@fantasy.muc.de>)'s
> website. If there are any reproaches then direct them to the author. I
> must confirm that this script isn't state of the art in terms of good
> manners.
>
> "PROOF:"
>
> Download the rpm and verify the postinstall script using
>
> rpm -qp --scripts xzx-2.9.2-2.i386.rpm
>
> Compare this with the postinstall script in the SuSE package.
> By consequence, the "Solution" suggestion below is exactly the contrary
> to
> what would be advisable.
>
> *
>
> First off, it would have been good style to contact SuSE security under
> security@suse.de _prior_ to spread such information. This didn't happen,
> and possible damage could have been avoided.
>
> Secondly, reputation is very fragile in this business. This is also the
>
> case for private persons who don't use half-anonymous freemail providers
>
> to voice themselves. Please be fair with your statements and
> double-check
> each word. A statement is difficult to retract as soon as it's written
> and
> published.
>
> Thanks,
> Roman Drahtm|ller,
> SuSE Security.
> --
> - -
> | Roman Drahtm|ller <draht@suse.de> "Caution: Cape does not |
> SuSE GmbH - Security enable user to fly."
> | N|rnberg, Germany (Batman Costume warning label) |
> - -
>
>
> >
> > PROOF:
> > =====================
> > - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation
> entry)
> >
> > == xzx.spec (some snipped) ==
> > %post
> > set +x
> > sm=`type sendmail`
> > if [ $? -eq 0 ]
> > then
> > set ${sm}
> > SENDMAIL=$3
> > else
> > SENDMAIL=/usr/sbin/sendmail
> > fi
> > if [ -x ${SENDMAIL} ]
> > then
> > ${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
> > Subject: install notification
> >
> > Version: %{Name}-%{Version}
> > Date : `date`
> > User : `whoami`
> > Host : `hostname`
> > OS : `uname -a`
> > _EOF_
> > fi
> >
> > === xzx.spec (some snipped) ===
- --
Prana <pranalukas@gmx.de>
http://cyest.hypermart.net
My GnuPG Key ID: 0x33343FD3 (2000-07-21)
Key fingerprint = F1FB 1F76 8866 0F40 A801 D9DA 6BED 6641 3334 3FD3
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Made with Geheimnis
iD8DBQE5fk84a+1mQTM0P9MRAuFuAKCHu+EeoCOKYTxcKUwXkjR9SITUAgCeMTjs
egwZRFVu5tXzKvqV0Vc+Q9w=
=l/0e
-----END PGP SIGNATURE-----
--
Sent through GMX FreeMail - http://www.gmx.net
