OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Package xzx-2.9.2-2.i386.rpm spies - SuSE Linux 6.4
From: Roman Drahtmueller (drahtSUSE.DE)
Date: Mon Jul 24 2000 - 13:23:20 CDT

> System affected:
> =====================
> SuSE Linux 6.4

Not at all. The SuSE xzx package on SuSE-6.4 or other versions don't
contain the said postinstall script. See below.

> Homepage:
> http://www.suse.de/en/produkte/susesoft/linux/Pakete/paket_xzx.html
>
> Package name:
> =====================
> xzx-2.9.2-2.i386.rpm
> XZX is a portable emulator of ZX Spectrum 48K/128K/+3
>
> Problem:
> =====================
> This program tries to send an unauthorized e-mail during its RPM
> installation (PRIVACY problem) to <installfantasy.muc.de>

The script from Prana's mail belongs to the rpm package that is supplied
by the author and is available at http://www.philosys.de/~kunze/xzx/?dl .
There is not the slightest connection between the package on the
distribution and the one on (Erik Kunze <Erik.Kunzefantasy.muc.de>)'s
website. If there are any reproaches then direct them to the author. I
must confirm that this script isn't state of the art in terms of good
manners.

"PROOF:"

Download the rpm and verify the postinstall script using

rpm -qp --scripts xzx-2.9.2-2.i386.rpm

Compare this with the postinstall script in the SuSE package.
By consequence, the "Solution" suggestion below is exactly the contrary to
what would be advisable.

*

First off, it would have been good style to contact SuSE security under
securitysuse.de _prior_ to spread such information. This didn't happen,
and possible damage could have been avoided.

Secondly, reputation is very fragile in this business. This is also the
case for private persons who don't use half-anonymous freemail providers
to voice themselves. Please be fair with your statements and double-check
each word. A statement is difficult to retract as soon as it's written and
published.

Thanks,
Roman Drahtmüller,
SuSE Security. 

--
 -                                                                    -
| Roman Drahtmüller <drahtsuse.de>     "Caution: Cape does not        |
  SuSE GmbH - Security                  enable user to fly."
| Nürnberg, Germany                     (Batman Costume warning label) |
 -                                                                    -

>
> PROOF:
> =====================
> - From the file /usr/src/RPM/SPECS/xzx.spec (the post installation entry)
>
> == xzx.spec (some snipped) ==
> %post
> set +x
> sm=`type sendmail`
> if [ $? -eq 0 ]
> then
>   set ${sm}
>   SENDMAIL=$3
> else
>   SENDMAIL=/usr/sbin/sendmail
> fi
> if [ -x ${SENDMAIL} ]
> then
>   ${SENDMAIL} installfantasy.muc.de 2>/dev/null <<- _EOF_
> Subject: install notification
>
> Version: %{Name}-%{Version}
> Date   : `date`
> User   : `whoami`
> Host   : `hostname`
> OS     : `uname -a`
> _EOF_
> fi
>
> === xzx.spec (some snipped) ===
>
> Solution:
> Compile from its source instead of installing its RPM package
>
> - --
> Prana <pranalukasgmx.de>
> http://cyest.hypermart.net
> My GnuPG Key ID: 0x33343FD3 (2000-07-21)
> Key fingerprint = F1FB 1F76 8866 0F40 A801  D9DA 6BED 6641 3334 3FD3
> http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x33343FD3
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: Made with Geheimnis
>
> iD8DBQE5e9W2a+1mQTM0P9MRAg3qAJ99Zf18fY9LYscIPfEFPfqfQFxOAgCeNcdZ
> XxzcWlviLUn0mESoz9IWi+s=
> =J9RT
> -----END PGP SIGNATURE-----
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
>

Gruß,
Roman Drahtmüller.
--
 -                                                                    -
| Roman Drahtmüller <drahtsuse.de>     "Caution: Cape does not        |
  SuSE GmbH - Security                  enable user to fly."
| Nürnberg, Germany                     (Batman Costume warning label) |
 -                                                                    -