Linux malware: an incident and some solutions

Posted Dec 24, 2009 12:25 UTC (Thu) by tzafrir (subscriber, #11501)
Parent article: Linux malware: an incident and some solutions

Just one comment regarding the dpkg command in the article: it lists the contents of a package. That, however, omits one very obvious place to hide malicious (or, well, buggy) code: the maintainer scripts.

I'm not aware of a simple dpkg equivalent of the command 'rpm -q --scripts foo.rpm', but it should be along the lines of:

dpkg --info foo.deb config preinst postinst prerm postrm

Linux malware: an incident and some solutions

Posted Dec 24, 2009 16:34 UTC (Thu) by cortana (subscriber, #24596) [Link] (2 responses)

dpkg --info blah.deb will display which of the preinst, postinst, prerm, postrm scripts the .deb has,
and whether they are shell scripts, perl scripts, etc.

The question I want to ask is: why on earth did gnome-look not strip out all the scripts that
submitted debs contained? There is no need for a package containing a screen saver to contain
such as script; all you have to do is drop an executable somewhere, and a .desktop file in
/usr/share/applications/screensavers!

Linux malware: an incident and some solutions

Posted Dec 25, 2009 6:51 UTC (Fri) by elanthis (guest, #6227) [Link] (1 responses)

An even better question is why screensavers are submitted as dpkgs at all. Of hmome-look
wants to use native packages for this, require them to be submitted as simplifed source balls
and build the binaries and packages themselves, using a properly jailed build environment
(or even a vm instance).

Linux malware: an incident and some solutions

Posted Dec 26, 2009 14:21 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

That's because you consider them as packagers.