Wolfgang S. Rupprecht wrote:
Jim Cornette <fc-cornette@xxxxxxxxxxxxxx> writes:
So was this a trojan version or an unsigned version?
Bugzilla says this was a race in the release tools and the rpm was
good but slipped through unsigned.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232523
I was concerned mainly because the two packages were listed in the
vulnerability from 2002.
http://www.symantec.com/security_response/vulnerability.jsp?bid=6171
I thought the date for tcpdump and libpcap were both dated in
January even though the development package was dated Mar 15th.
In theory Redhat folks could have applied a private patch, even if the
underlying tcpdump distribution didn't change since January.
Since the date was different than the devel package but at the same
version level, I was concerned that someone was infiltrating the mirrors
or the home server. Tcpdump was infiltrated back in late 2002. I hope it
was just a build error and not bad natured individuals infiltrating the
mirrors.
Anyway, looking up information for libpcap and tcpdump on a Windows
machine had me cross paths with the 2002 incident and kicked in the
antivirus software for windows.
Just to be safe, are these incidents unrelated? Did I just happen to
cross the virus via google and the packages were only messed up by the
build process?
Even if it was a trojan, I can't imagine the attacker would want to
slip an MS virus in there. That would draw even more attention to the
files. Linux exploits and MS exploits would require vastly different
code.
What happened on My XP system was some services[1].txt file was loaded
into the "Temporary Internet Files" and the active protection facility
in the Symantec antivirus program launched and tried to clean the file
from the XP system. It is not a Windows virus unless it was thought I
was googling for a Windows version of the programs.
I did come to the realization that you should not try to install
unsigned rpms in case this was an attempt to trojan version the
mirrors.
My jaw dropped when I read that one of the bugzilla responses (by a
normal user) was to force the installation by editing the yum conf
file to say "gpgcheck=0".
If it isn't signed by a repository that you trust then all bets are
off.
I 100 percent agree! I read the portion of the vulnerability where it
would install bad items, use a certain port and then report to home
base. I think it deleted its traces from the infiltrated system on exit.
This is scary stuff to me.
I would not defeat the valuable feature of signature checking or even
attempt to install the package until it was known to be safe.
Jim
-wolfgang
--
Everything you know is wrong!