Re: "Latest libpcap & tcpdump sources from tcpdump.org contain a trojan"
You are correct insofar as it triggers at compile time for libpcap, the
configure script to be exact. I grabbed a copy of the trojan'ed libpcap
and compiled it in a sandbox machine. You can do a strings of
the compiled libpcap.a and grep for 1963. Doing so yields these results:
debian:~/libpcap-0.7.1# strings libpcap.a | grep 1963
not port 1963
I _didn't_ have the same result when running the command against woody's
libpcap library files on my boxen. Obviously, I'm not saying that you
will have the same result or that this is the only method to find the
problem, etc. It worked for me though.
On Thu, Nov 14, 2002 at 11:37:37AM +0100, Bart-Jan
Vrielink wrote: > On Wed, 2002-11-13 at 20:15, Lupe Christoph wrote:
> > Please read
> > http://www.hlug.org/modules.php?op=modload&name=News&file=article&sid=6&mode=thread&order=0&thold=0
> > Is Debian affected?
> If I read this (and the CERT advisory) correctly, the trojan only
> triggers at compile time, so I don't think normal Debian users are
> affected, only perhaps the maintainer himself.
> >From CA-2002-30 (CERT):
> II. Impact
> An intruder operating from (or able to impersonate) the remote address
> specified in the malicious code could gain unauthorized remote access to
> any host that compiled a version of tcpdump with this Trojan horse. The
> privilege level under which this malicious code would be executed would
> be that of the user who compiled the source code.
> "... any host that compiled ..." means to me that the Debian packages
> shouldn't be affected.
> Tot ziens,
> Bart-Jan Vrielink
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org