trojan tcpdump?

[Wolfgang S. Rupprecht]

Jim Cornette <fc-cornette at insight.rr.com> writes:
> So was this a trojan version or an unsigned version? 

Bugzilla says this was a race in the release tools and the rpm was
good but slipped through unsigned.

         https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232523

> I thought the date for tcpdump and libpcap were both dated in
> January even though the development package was dated Mar 15th.

In theory Redhat folks could have applied a private patch, even if the
underlying tcpdump distribution didn't change since January.

> Anyway, looking up information for libpcap and tcpdump on a Windows
> machine had me cross paths with the 2002 incident and kicked in the
> antivirus software for windows.
>
> Just to be safe, are these incidents unrelated? Did I just happen to
> cross the virus via google and the packages were only messed up by the
> build process?

Even if it was a trojan, I can't imagine the attacker would want to
slip an MS virus in there.  That would draw even more attention to the
files.  Linux exploits and MS exploits would require vastly different
code.

> I did come to the realization that you should not try to install
> unsigned rpms in case this was an attempt to trojan version the
> mirrors.

My jaw dropped when I read that one of the bugzilla responses (by a
normal user) was to force the installation by editing the yum conf
file to say "gpgcheck=0".

If it isn't signed by a repository that you trust then all bets are
off.

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/