5295131 2000-07-24 19:06 /77 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11886>
Ärende: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
------------------------------------------------------------
From: "Gunadi, Prana" <pranalukas@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <29303.964416516@www26.gmx.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
System affected:
=====================
SuSE Linux 6.4
Homepage:
http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html
Package name:
=====================
xzx-2.9.2-2.i386.rpm
XZX is a portable emulator of ZX Spectrum 48K/128K/+3
Problem:
=====================
This program tries to send an unauthorized e-mail during its RPM
installation (PRIVACY problem) to <install@fantasy.muc.de>
PROOF:
=====================
- From the file /usr/src/RPM/SPECS/xzx.spec (the post installation
entry)
== xzx.spec (some snipped) ==
%post
set +x
sm=`type sendmail`
if [ $? -eq 0 ]
then
set ${sm}
SENDMAIL=$3
else
SENDMAIL=/usr/sbin/sendmail
fi
if [ -x ${SENDMAIL} ]
then
${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
Subject: install notification
Version: %{Name}-%{Version}
Date : `date`
User : `whoami`
Host : `hostname`
OS : `uname -a`
_EOF_
fi
=== xzx.spec (some snipped) ===
Solution:
Compile from its source instead of installing its RPM package
- --
Prana <pranalukas@gmx.de>
http://cyest.hypermart.net
My GnuPG Key ID: 0x33343FD3 (2000-07-21)
Key fingerprint = F1FB 1F76 8866 0F40 A801 D9DA 6BED 6641 3334 3FD3
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Made with Geheimnis
iD8DBQE5e9W2a+1mQTM0P9MRAg3qAJ99Zf18fY9LYscIPfEFPfqfQFxOAgCeNcdZ
XxzcWlviLUn0mESoz9IWi+s=
=J9RT
-----END PGP SIGNATURE-----
--
Sent through GMX FreeMail - http://www.gmx.net
(5295131) ------------------------------------------(Ombruten)
5296063 2000-07-25 02:43 /75 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11898>
Kommentar till text 5295131 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
------------------------------------------------------------
From: Andreas Jaeger <aj@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <u81z0jie5e.fsf@gromit.rhein-neckar.de>
>>>>> Gunadi, Prana writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> System affected:
> =====================
> SuSE Linux 6.4
> Homepage:
> http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html
> Package name:
> =====================
> xzx-2.9.2-2.i386.rpm
> XZX is a portable emulator of ZX Spectrum 48K/128K/+3
> Problem:
> =====================
> This program tries to send an unauthorized e-mail during its RPM
> installation (PRIVACY problem) to <install@fantasy.muc.de>
> PROOF:
> =====================
> - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation entry)
That paths does not exist under SuSE 6.4, SuSE uses packages instead
of RPM. Are you sure this comes from SuSE 6.4? In that case please
send me the complete (!) spec file, I'd like to check it.
Just for the record: I checked the current spec file for the upcoming
SuSE 7.0 release and my CDs of 6.4 - both don't contain the post
section. I do agree that this shouldn't happen.
Andreas
> == xzx.spec (some snipped) ==
> %post
> set +x
> sm=`type sendmail`
> if [ $? -eq 0 ]
> then
> set ${sm}
> SENDMAIL=$3
> else
> SENDMAIL=/usr/sbin/sendmail
> fi
> if [ -x ${SENDMAIL} ]
> then
> ${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
> Subject: install notification
> Version: %{Name}-%{Version}
> Date : `date`
> User : `whoami`
> Host : `hostname`
> OS : `uname -a`
> _EOF_
> fi
> === xzx.spec (some snipped) ===
> Solution:
> Compile from its source instead of installing its RPM package
--
Andreas Jaeger
SuSE Labs aj@suse.de
private aj@arthur.inka.de
(5296063) ------------------------------------------
5303540 2000-07-26 20:26 /119 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11929>
Kommentar till text 5296088 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
------------------------------------------------------------
From: "Gunadi, Prana" <pranalukas@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <13458.964578720@www24.gmx.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, I must apologize to SuSE security because my earlier e-mail was
inaccurate. I've just double-checked it today and I found out that it
was the original package xzx-2.9.2-2.i386.rpm from
http://www.philosys.de/~kunze/xzx/?dl that contains the post-install
script -- not the xzx package from SuSE 6.4.
> Not at all. The SuSE xzx package on SuSE-6.4 or other versions don't
> contain the said postinstall script. See below.
> >
> > Problem:
> > =====================
> > This program tries to send an unauthorized e-mail during its RPM
> > installation (PRIVACY problem) to <install@fantasy.muc.de>
>
> The script from Prana's mail belongs to the rpm package that is supplied
> by the author and is available at http://www.philosys.de/~kunze/xzx/?dl
> .
> There is not the slightest connection between the package on the
> distribution and the one on (Erik Kunze <Erik.Kunze@fantasy.muc.de>)'s
> website. If there are any reproaches then direct them to the author. I
> must confirm that this script isn't state of the art in terms of good
> manners.
>
> "PROOF:"
>
> Download the rpm and verify the postinstall script using
>
> rpm -qp --scripts xzx-2.9.2-2.i386.rpm
>
> Compare this with the postinstall script in the SuSE package.
> By consequence, the "Solution" suggestion below is exactly the contrary
> to
> what would be advisable.
>
> *
>
> First off, it would have been good style to contact SuSE security under
> security@suse.de _prior_ to spread such information. This didn't happen,
> and possible damage could have been avoided.
>
> Secondly, reputation is very fragile in this business. This is also the
>
> case for private persons who don't use half-anonymous freemail providers
>
> to voice themselves. Please be fair with your statements and
> double-check
> each word. A statement is difficult to retract as soon as it's written
> and
> published.
>
> Thanks,
> Roman Drahtmüller,
> SuSE Security.
> --
> - -
> | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not |
> SuSE GmbH - Security enable user to fly."
> | Nürnberg, Germany (Batman Costume warning label) |
> - -
>
>
> >
> > PROOF:
> > =====================
> > - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation
> entry)
> >
> > == xzx.spec (some snipped) ==
> > %post
> > set +x
> > sm=`type sendmail`
> > if [ $? -eq 0 ]
> > then
> > set ${sm}
> > SENDMAIL=$3
> > else
> > SENDMAIL=/usr/sbin/sendmail
> > fi
> > if [ -x ${SENDMAIL} ]
> > then
> > ${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
> > Subject: install notification
> >
> > Version: %{Name}-%{Version}
> > Date : `date`
> > User : `whoami`
> > Host : `hostname`
> > OS : `uname -a`
> > _EOF_
> > fi
> >
> > === xzx.spec (some snipped) ===
- --
Prana <pranalukas@gmx.de>
http://cyest.hypermart.net
My GnuPG Key ID: 0x33343FD3 (2000-07-21)
Key fingerprint = F1FB 1F76 8866 0F40 A801 D9DA 6BED 6641 3334 3FD3
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Made with Geheimnis
iD8DBQE5fk84a+1mQTM0P9MRAuFuAKCHu+EeoCOKYTxcKUwXkjR9SITUAgCeMTjs
egwZRFVu5tXzKvqV0Vc+Q9w=
=l/0e
-----END PGP SIGNATURE-----
--
Sent through GMX FreeMail - http://www.gmx.net
(5303540) ------------------------------------------(Ombruten)