Your message dated Mon, 13 Apr 2020 18:19:17 +0200 with message-id <90c3acd7261efbe604885b6159af15f54add68eb.ca...@gmail.com> and subject line 789052-done has caused the Debian Bug report #789052, regarding chkrootkit: False positives:/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 789052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789052 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: chkrootkit Version: 0.50-3 Severity: normal Hallo, there seem to be at least 2 false positives, which were also present in wheezy, and now in jessie: u can get ignore this by chaning the chkrootkit.conf file in /etc RUN_DAILY_OPTS="-q -e '/usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/pymodules/python2.7/.path'" Why FP?: both are non executable text files: $1$ .java-1.7.0-openjdk-amd64.jinfo # dpkg -S /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo openjdk-7-jre-headless:amd64: /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo # debsums openjdk-7-jre-headless:amd64 | grep java-1.7.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo OK # file /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo: ASCII text ... $2$ /usr/lib/pymodules/python2.7/.path doesn't seem to be part of installation, written by some process? # hexdump -bc /usr/lib/pymodules/python2.7/.path 0000000 057 165 163 162 057 154 151 142 057 160 171 155 157 144 165 154 0000000 / u s r / l i b / p y m o d u l 0000010 145 163 057 160 171 164 150 157 156 062 056 067 012 0000010 e s / p y t h o n 2 . 7 \n 000001d hth, Wim -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=nl_BE.utf8, LC_CTYPE=nl_BE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chkrootkit depends on: ii binutils 2.25-5 ii debconf [debconf-2.0] 1.5.56 ii libc6 2.19-18 ii net-tools 1.60-26+b1 ii procps 2:3.3.9-9 chkrootkit recommends no packages. chkrootkit suggests no packages. -- debconf information: chkrootkit/diff_mode: false chkrootkit/run_daily: false chkrootkit/run_daily_opts: -q
--- End Message ---
--- Begin Message ---Hello Wim There are a lot of files/dirs that causes false positives but i strongly believe that is a bad idea to try to catch them in a public release. It is trivial for an attacker to rename files/dirs in order to circumvent any regexp filter if he/she just knows it. It would render chkrootkit useless. Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES for more information. Greetings, Marcos.
--- End Message ---
