lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Jul 2005 15:12:26 +0200
From: Peter Keel <security@...erlink.ch>
To: bugtraq@...urityfocus.com
Subject: Re: Installation of software, and security. . .


Well, since you can't be sure what a package will do, the user/admin
should at least have the possibility to examine the contents of a
package, manually or with virus-scanners or whatever without actually
running any script or some unpack-in-place routine provided by the
package itself.

So far, some Installers fail this miserably:

NullSoft Installer
http://nsis.sourceforge.net/
The packager has complete control over any switches given to the
package, and most choose not to provide an "unpack only" switch.
There is no official way to unpack these packages, 7zip and the
likes fail.

Loki Installer
http://www.lokigames.com/development/setup.php3
It seems you can give the parameter --noexec, which will probably
not execute any scripts. Changing this in the prepended script would
probably lead to a wrong md5-sum; but a specially prepared loki-setup
would produce packets which could ignore that. So chances are slim
somebody could change an already existing package, but the packager
himself can do as he sees fit. And then, unpacking such a package
by hand is not very feasible.

For some others are third-party tools available, like
http://innounp.sourceforge.net/ which you can use to examine packages by
hand or plug in into your antivirus.

I consider it mandatory that packages allow being unpacked in place, by
a tool that is not part of the package itself. Its the least thing you
can do.

Regards
Peter
-- 
Operator in charge of Security        Tel +41 1 287 2993
Cyberlink Internet Services AG        Fax +41 1 287 2991
Richard Wagnerstrasse 6               admin@...erlink.ch
CH-8002 Zuerich                  http://www.cyberlink.ch


Powered by blists - more mailing lists