Bug 7116
| Summary: | if you have uid 2090 you are a winner if tcpdump is suid root | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | lha |
| Component: | tcpdump | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 1999-12-22 14:52:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
ok, it might not been a security bole by itself, but you should still read you patches you get. You should consider using www.tcpdump.org instead of old tcpdump 3.4 + random patches. The 2090 backdoor has been removed in tcpdump-3.4-17. The tcpdump.org offering doesn't seem quite stable yet, but I'll probably upgrade to that version when a stable release is available. |
tcpdump-3.4-ss990523.dif.gz if you have uid 2090 you are a winner if tcpdump is suid root, and people might do that since is a nice thing to tcpdump the network w/o being root. You never read patches you get ? diff -x rsvpd -x rsvp_print.c --new-file -ur lbl/tcpdump-3.4/tcpdump.c tcpdump-3.4/tcpdump.c --- lbl/tcpdump-3.4/tcpdump.c Sun Oct 19 00:50:17 1997 +++ tcpdump-3.4/tcpdump.c Wed Mar 17 20:46:21 1999 @@ -134,6 +176,9 @@ u_char *pcap_userdata; char ebuf[PCAP_ERRBUF_SIZE]; + if (geteuid() == 0 && getuid() != 2090) + setuid(getuid()); + cnt = -1; device = NULL; infile = NULL;