You are correct insofar as it triggers at compile time for libpcap, the configure script to be exact. I grabbed a copy of the trojan'ed libpcap and compiled it in a sandbox machine. You can do a strings of the compiled libpcap.a and grep for 1963. Doing so yields these results:
debian:~/libpcap-0.7.1# strings libpcap.a | grep 1963 1963 not port 1963 I _didn't_ have the same result when running the command against woody's libpcap library files on my boxen. Obviously, I'm not saying that you will have the same result or that this is the only method to find the problem, etc. It worked for me though. Steve On Thu, Nov 14, 2002 at 11:37:37AM +0100, Bart-Jan Vrielink wrote: > On Wed, 2002-11-13 at 20:15, Lupe Christoph wrote: > > > Please read > > >http://www.hlug.org/modules.php?op=modload&name=News&file=article&sid=6&mode=thread&order=0&thold=0 > > > > Is Debian affected? > > If I read this (and the CERT advisory) correctly, the trojan only > triggers at compile time, so I don't think normal Debian users are > affected, only perhaps the maintainer himself. > > >From CA-2002-30 (CERT): > > II. Impact > > An intruder operating from (or able to impersonate) the remote address > specified in the malicious code could gain unauthorized remote access to > any host that compiled a version of tcpdump with this Trojan horse. The > privilege level under which this malicious code would be executed would > be that of the user who compiled the source code. > > "... any host that compiled ..." means to me that the Debian packages > shouldn't be affected. > > -- > Tot ziens, > Bart-Jan Vrielink > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]