[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]

Subject: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]
From: Matthew Nuzum <cobalt@xxxxxxxxxxxxx>
Date: 04 Mar 2002 11:32:31 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 2002-03-04 at 10:17, MikeM wrote:
    On 3/4/02 at 3:54 PM Andres Petralli wrote:
    

    Your package has been removed from my system.
    
    I will now avoid any package or software that has you as part 
    of the development team.  I do not like spyware, I do not use 
    software that contains spyware, and I do not trust people who
    place spyware in their packages.
    
Michael and Petralli both made good points, that a lot of people should
take into consideration.

The pkg specification allows a way to embed this "spyware" into a PKG
file.  Many packages don't use this, but if you don't check, how would
you know?

So how do you a check?  Well, the easiest way is to just re-name it from
filename.pkg to filename.tgz.  Pkg files are just tarballs, with a
different extension.

Winzip, stuffit and of course, GNU tar can then open these files
effortlessly (winzip will ask if you want to uncompress to a temporary
location, say yes).

Note that there will probably be some RPMs, TGZ files and, more
importantly, some shell scripts that handle the details of installing
and uninstalling.

These shell scripts are generally pretty simple and can be understood by
most sys-admins, even if you don't write shell scripts.

I'll admit, I generally don't peak inside of Cobalt's official pkg
files.  However, I make a point (and suggest you do as well) of
deconstructing all of the other PKG files I consider.

Need more info about what's in a PKG file?

These two RPM commands will give you a lot more detail:
rpm -qip RPMFILE.rpm
- this will list all of the rpm details, similar to what you might see
visiting rpmfind.net
rpm -qlp RPMFILE.rpm
- this will list all of the files that are inside of an RPM, including
the installation paths for these files.

Note that the above two commands only work on RPM files, not TGZ or PKG
files.  Once you untar a PKG, you run those commands on any resulting
RPM files.

I hope this is helpful and increases your awareness.  Let me know if I
missed something important.

Matt Nuzum

Follow-Ups:
- Re: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]
  - From: Zeffie
- Re: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]
  - From: Menno M Jansz

References:
- AW: [cobalt-security] Unofficial PHP 4.1.2 PKG available
  - From: Andres Petralli
- Re: AW: [cobalt-security] Unofficial PHP 4.1.2 PKG available
  - From: MikeM

Prev by Date: Re: AW: [cobalt-security] Unofficial PHP 4.1.2 PKG available
Next by Date: RE: AW: [cobalt-security] Unofficial PHP 4.1.2 PKG available
Previous by thread: Re: AW: [cobalt-security] Unofficial PHP 4.1.2 PKG available
Next by thread: Re: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index