Your message dated Wed, 24 Nov 2021 21:48:32 +0000 with message-id <[email protected]> and subject line Bug#877666: fixed in chkrootkit 0.55-2 has caused the Debian Bug report #877666, regarding chkrootkit: alleged Chromium processes not running in /var/run/utmp after browser's update--false alarm? to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 877666: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877666 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: chkrootkit Version: 0.50-4+b2 Severity: normal Dear Maintainer(s), This issue does pertain to you guys, but it'll take a bit of explaining. Thanks for bearing with me. I upgraded Chromium from 60.0.3112.78-1~deb9u1 to 61.0.3163.100-1~deb9u1 on September 28th. Yesterday afternoon, I ran chkrootkit for the first time since the Chromium update. It was while I had a whole bunch of tabs open on different webpages. I run chkrootkit fairly routinely, but I've never before seen the output that I saw yesterday. The pertinent section is as follows: --- Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E 3553 ;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E 3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E ! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 3553 ;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 ! --- 10 more similar/identical were also listed, but I went ahead and truncated them. I think you get the idea. Basically, the newer version of Chromium appears to be running tty without including them in /var/run/utmp. (While the processes are not explicitly identified as being associated with Chromium, a quick search of the included command switches identified them as such.) While I imagine this is just a design oversight on the part of the Chromium devs, the fact remains that chkrootkit is getting false alarms from this. ...Unless, perhaps, I've somehow actually obtained a rootkit that is masquerading as a number of Chromium processes. :O (That seems highly unlikely to me; I try to run my system very conservatively. But I can't completely discount the possibility.) For context, I reported this first to the Chromium devs, since this is their change. This was the response I received: [Status: Won't-Fix] "It seems to me that the chrootkit and unhide issue is better suited for the maintainer of those tools. Unfortunately chromium developers are not familiar with them or the intricacies of your system." To be clear, I don't think you guys (or the unhide maintainers) should have to rewrite your applications according to Google's whims, but since a substantial number of Debian users are going to have Chromium installed, they ought to at least be made aware of this issue so they can whitelist it without losing sleep. Is this something you believe needs to be discussed further with the Chromium devs? It seems like it would be a trivial change for them to just go ahead and include the pertinent processes in /var/lig/utmp. In short, is this really a false alarm? If so, do you guys need more information from the Chromium devs in order to whitelist this behavior--with the assurance that it is legitimate? Thank you so much for taking the time to look into this issue. -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chkrootkit depends on: ii binutils 2.28-5 ii debconf [debconf-2.0] 1.5.61 ii libc6 2.24-11+deb9u1 ii net-tools 1.60+git20161116.90da8a0-1 ii openssh-client 1:7.4p1-10+deb9u1 ii procps 2:3.3.12-3 chkrootkit recommends no packages. chkrootkit suggests no packages. -- debconf information: chkrootkit/run_daily_opts: -q chkrootkit/diff_mode: false chkrootkit/run_daily: false
--- End Message ---
--- Begin Message ---Source: chkrootkit Source-Version: 0.55-2 Done: Marcos Fouces <[email protected]> We believe that the bug you reported is fixed in the latest version of chkrootkit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marcos Fouces <[email protected]> (supplier of updated chkrootkit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 Nov 2021 22:44:33 +0100 Source: chkrootkit Architecture: source Version: 0.55-2 Distribution: unstable Urgency: medium Maintainer: Debian Security Tools <[email protected]> Changed-By: Marcos Fouces <[email protected]> Closes: 488558 630880 666989 669333 677315 745431 872379 877666 982998 994153 Changes: chkrootkit (0.55-2) unstable; urgency=medium . [ Richard Lewis ] * Move configuration to /etc/chkrootkit/chkrootkit.conf and manage it as a conffile rather than via debconf * This enables various improvements to /etc/cron.daily/chkrootkit: - Improved default filtering and make filtering fully customisable (Closes: #630880, #666989, #669333, #677315, #877666, #488558). - run under ionice if possible (Closes: #745431) * Remove messages "OooPS, not expected" messages from chkproc by re-increasing MAX_PROCESSES to the upstream value (Closes: #982998) and preventing chkproc sending kill signals to processes to see if they might be malicious. (patches 55, 55a) This does re-disable a test for Enye LKM. * Prevent ckrootkit hanging when invoked from an LXC container (Closes: #872379), thanks to Scott Barker for identifying the issue (patch 61). * Various improvement to the output of chkrootkit - stop merging output of sniffer test into a single line so '-s' can be used as intended (patch 60) - fix the test of sshd so it runs when sshd is found instead of when it is not (patch 56) - ensure rexedcs tests produces any output when it finds something suspicious (patch 60) - ensure output lines up, especially if '-q' is not present - remove spurious spaces (patch 53, 54, 55a,57, 58) - do not list directories twice in list of 'suspicious' files (patch 59) and show output when -q not given (patch 25a) - fix spelling error in chkdirs output (patch 52) - further improvements to output of 'chkrootkit -h' (edits to patch 26, patch 26a) * Remove bashism from d/25_fix-nfs-legacy-sniffers.patch. (Closes: #994153). * Documentation copy-edited for grammar (and occaisional accuracy) * Update dependencies so that packages whose binaries are tested are listed in 'Enhances' and add iproute2 as a preferred alternative to net-tools * Update documentation of earlier patches (1-51), recording which have been sent upstream * Add some autopkgtests . [ Marcos Fouces ] * Update copyright file. Checksums-Sha1: bdacfb408ab42b7f70adf8da154880d72da8d167 2003 chkrootkit_0.55-2.dsc e3550706cdaad98733eea355f02ac9e37cc4d191 52796 chkrootkit_0.55-2.debian.tar.xz 371de47723918b5aeb3e071073aca4135a3ca2db 5825 chkrootkit_0.55-2_source.buildinfo Checksums-Sha256: 6812e4820ebca20ac05f669523c1ce901c23f8c5f3b4ccb592b602b1975b9e3c 2003 chkrootkit_0.55-2.dsc e82094ffe93209bb30a4dfe3b761c296538e7c30a813e342a39e44182fbf5e2a 52796 chkrootkit_0.55-2.debian.tar.xz 3630c8207ea4de13a3e3bc9e0703ee587112166396fae7637f5aa07091134200 5825 chkrootkit_0.55-2_source.buildinfo Files: 21d757c9ff5b03423847b934b2c59379 2003 misc optional chkrootkit_0.55-2.dsc d72fe06c67e3804f69c19611ce4c8e22 52796 misc optional chkrootkit_0.55-2.debian.tar.xz c0616cccf385a1b9408ce3a6454eb792 5825 misc optional chkrootkit_0.55-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfLiv/VYDL+NaNH0uasy9D6O3RHwFAmGesGYACgkQasy9D6O3 RHxDlw/8C9//Fleq3G2eshpSXDgAfG7zAOdJC5dfIZrSkBeukYZ5ZPPbw0m7rqAw VWS9xyy6uey49Nx6XD9w1OB9uQvt/5EfMU8ysnO0nrT3q6UPvZa1kVTwaP9KCPuJ jANCqGVNWHuP6RR0yR98l0YEheU1z+qsl+RFh2/3fwlfvtQZmpA9m1Vg9jfiVQ6V uQEyDD5ylA0Y41XGiVRXrdKzDfQIDBaNr/epgXZRVYXDmiW0iouAPkHmZGoVcxey +hTOzrrajbV5EwyoWqpAneE48iKxO21YMJOQT5M0Nzgo0xdlGAuN/y9SQVZSx02g mwxzWsr0SEDohDviPHAELwXdd4xZYwZTUO9Ah7vOc7aVky2rqm+tQPQI9keI3DTK P3S1AuYDfCXLID8S9HoC5/do/Ezb/6P3L9ZBrux3MXUtEEtPTjguO8jjnYCifaJF LP95atCuFHT8W4GsGbMz6E3I3xpOp7U1fpop/7r1znfFefV0BT7Qz6Ca/x5MNJAm MlacI3mmLBfqtQjM49OWHauSd339vbWi8xM7j/BYrsPlsK167tw8zkGPC/QMalj6 ldrGrEeEFAYHuEArsv4rx+pgRHkiRKPjjzoNJW2JoyF3mQ4qRKTwJ2tGsDoeph4r Fye/CHv7OlrTBO8c434IwMrkQSITYCPCvfq6QI2N4lqfLxFqrgY= =PWWB -----END PGP SIGNATURE-----
--- End Message ---
