Vulnerability

    xzx

Affected

    xzx package from author's page

Description

    Prana Gunadi found  following.  XZX  is a portable  emulator of ZX
    Spectrum 48K/128K/+3  This  program tries to send  an unauthorized
    e-mail during its RPM installation (PRIVACY problem) to

        install@fantasy.muc.de

    As a  proof from  the file  /usr/src/RPM/SPECS/xzx.spec (the  post
    installation entry)

        == xzx.spec (some snipped) ==
        %post
        set +x
        sm=`type sendmail`
        if [ $? -eq 0 ]
        then
          set ${sm}
          SENDMAIL=$3
        else
          SENDMAIL=/usr/sbin/sendmail
        fi
        if [ -x ${SENDMAIL} ]
        then
          ${SENDMAIL} install@fantasy.muc.de 2>/dev/null <<- _EOF_
        Subject: install notification
        
        Version: %{Name}-%{Version}
        Date   : `date`
        User   : `whoami`
        Host   : `hostname`
        OS     : `uname -a`
        _EOF_
        fi

Solution

    The script from above belongs to the rpm package that is  supplied
    by the author and is available at

        http://www.philosys.de/~kunze/xzx/?dl

    There is not the slightest  connection between the package on  the
    distribution and the one his website.  If there are any reproaches
    then direct them to the author.