Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Is my package fixed? Or: How to look into RPMs
  • From: Peter Poeml <poeml@xxxxxxx>
  • Date: Wed, 18 Sep 2002 16:58:04 +0200
  • Message-id: <20020918145804.GB16750@xxxxxxx>
Sometimes on this list folks express doubts whether a package contains a
certain fix or not. Even if the security announcements say the packages
are not vulnerable, they want to know for sure. Looking at the version
number of the package is most likely not enough to be sure... but how
then? How to look "into" the packages?

I thought I'd write up a short howto and post it here.


How to find out what HAS been changed:

1) get the original source RPM as distributed on the CDs ("zq" or "src"
directory)
2) get the "fixed" package (see the security announcement, it contains
the link to where to find it.)

3) compare the changelogs of the packages:

rpm -qp --changelog /path/to/old.rpm > /tmp/old.changes
rpm -qp --changelog /path/to/new.rpm > /tmp/new.changes
diff -u /tmp/old.changes /tmp/new.changes | grep "^+"

3) compare the file lists (just for an overview):

/usr/lib/rpm/rpmdiff /path/to/old.rpm /path/to/new.rpm

This step would very likely show you that a patch file that has been
added.

4) to look further, unpack the source RPMs:

mkdir old; ( cd old; rpm2cpio /path/to/old.rpm | cpio -i --make-directories )
mkdir new; ( cd new; rpm2cpio /path/to/new.rpm | cpio -i --make-directories )

5) compare the two directories:
diff -uNr old new | less
or
diff -uNr old new | view - -c "syntax on"
if you like it colorful. Or, pipe it into diffstat, or print it out
via pdiff :-)


How to find out what SHOULD have been changed:

6) get the most recent sources (i.e. the fixed version) of, for
example, openssl.
7) get the second most recent sources (the vulnerable version).
8) untar both of them.
9) read and compare the ChangeLog or CHANGES files (or a similar file).
10) run a recursive diff about the two source directories to review the
changes.

Taking this even further, to really verify that the vulnerability is
gone, you need a testcase (an exploit).

Anyway, your picture about the packages should be complete by then, and
all your doubts hopefully gone.

For remaining questions you could contact this list (suse-security@xxxxxxxx).

In case of serious concerns you should contact the SuSE Security Team
directly, writing to security@xxxxxxxx

Hope this helps,
Peter

--
Thought is limitation. Free your mind.
< Previous Next >
Follow Ups