Your message dated Thu, 26 Sep 2024 06:34:02 +0000
with message-id <[email protected]>
and subject line Bug#1053979: fixed in chkrootkit 0.58b-2
has caused the Debian Bug report #1053979,
regarding chkrootkit: check reported files using dpkg -S
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1053979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053979
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chkrootkit
Version: 0.57-2+b1
Severity: wishlist
Dear Maintainer,
when chkrootkit-daily runs (was with old /etc/ckrootkit.conf thus diff mode
false and "-q -n" flags) I get reports for files owned by Debian
packages and that are iso with their installation state:
WARNING: The following suspicious files and directories were found:
/usr/lib/debug/.build-id
/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
/usr/lib/python3/dist-packages/glances/outputs/static/.prettierrc.js
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc
/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore
/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
Could chkrootkit check these files are owned by an installed Debian
package and unmodified and at least lower the status from WARNING to
INFO in the logged output (maybe we do not want them ignored altogether
in the case where a Debian package could be compromised and ship the
dangerous file?)
(ala "dpkg --search /usr/lib/ruby/vendor_ruby/rubygems/tsort/.document")
and that this file is unchanged from its Debian package state (against
/var/lib/dpkg/info/<pkg>.md5sums)?
I cooked such a script:
for file in $(grep /usr/lib /var/log/chkrootkit/log.today); do for pkg in $(set
-o pipefail; dpkg -S $file 2>/dev/null | sed 's/: .*//' | tr ',' '\n'); do
for md5pkgfile in $(ls /var/lib/dpkg/info/$pkg.md5sums 2> /dev/null); do [ -f
"$file" ] && grep ${file:1} $md5pkgfile | ( read -r md5filepkg filepkgpath;
md5file="$(md5sum "/$filepkgpath" | cut -d' ' -f1)"; [ "x$md5filepkg" =
"x$md5file" ] && echo "Debian unmodified $file" || echo "non Debian or modified
$file"); done; done ;done
gives:
Debian unmodified /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
(...)
It does not handles directories like /usr/lib/debug/.build-id. Maybe
chkrootkit could check none of the files in such a dot directory are
non Debian packages installed files unmodified and owned by still
installed packages?
Cheers,
Alban
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'oldstable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-9+deb12u3
Versions of packages chkrootkit recommends:
ii binutils 2.40-2
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
ii cron [cron-daemon] 3.0pl1-162
ii iproute2 6.1.0-3
ii mailutils [mailx] 1:3.15-4
ii net-tools 2.10-0.1
ii postfix [mail-transport-agent] 3.7.6-0+deb12u2
ii procps 2:4.0.2-3
ii systemd-sysv 252.17-1~deb12u1
chkrootkit suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: chkrootkit
Source-Version: 0.58b-2
Done: Richard Lewis <[email protected]>
We believe that the bug you reported is fixed in the latest version of
chkrootkit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Richard Lewis <[email protected]> (supplier of updated
chkrootkit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Aug 2024 12:50:00 +0100
Source: chkrootkit
Architecture: source
Version: 0.58b-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Richard Lewis <[email protected]>
Closes: 1025257 1035025 1035303 1049411 1053979 1070231 1071377 1075883 1080332
1082087
Changes:
chkrootkit (0.58b-2) unstable; urgency=medium
.
[ Richard Lewis ]
* Team upload
* Flag whether files flagged as 'suspicious' are from
Debian packages (Closes: #1053979, #1049411). Thanks to
Alban Browaeys for suggesting this.
* Allow -e to hide much more results (Closes: #1025257 - you can
use wildcards thanks to Peter Gervai for the suggestion)
* Fix -r to not skip several tests.
* Allow running as non-root (although some tests will not work,
but most will)
* Document false positive from ansible (Closes: #1049411)
and mosh (Closes: #1075883)
* Ensure check of PHP files copes with files with quotes
in their names (Closes: #1071377)
* Ensure the systemd timer runs once every day, even if
the system is suspended (Closes: #1035025, thanks to
'richardn')
* (new patch 87a,b) Improve output from ifpromisc: It will
now set an exit code of 1 if anything was found, and no
output will be produced if there are no siffers
(Closes: #1035303)
* Skip utmp check if no /var/run/utmp: systems with a 64-bit
time_t may no longer have this file at all (Closes: #1080332).
* Skip wtmp check if no /var/log/wtmp: systems with a 64-bit
time_t may no longer have this file at all (Closes: #1082087).
* Skip lastlog check if no /var/log/lastlog: systems with
a 64-bit time_t may no longer have this file at all
(also part of #1082087).
* Drop patch 22: not actually needed
* Improve man-page (Closes: #1070231)
* Update patch 20: Use CCFLAGS when building check_wtmpx
(avoids blhc(1) warning)
* Standards-Version 4.7.0 (no changes needed)
Checksums-Sha1:
9beb651c31af5226e6db71286621213559287ad8 1406 chkrootkit_0.58b-2.dsc
f4d5f39a18bf04757a4052f913f1ec57cfb7c8a3 95852 chkrootkit_0.58b-2.debian.tar.xz
70ab41bd8522878168df4509181e1b7ff8d39f36 5265
chkrootkit_0.58b-2_amd64.buildinfo
Checksums-Sha256:
9fa8fbcad115fefae00cf8bd67b7f9986ff5d0479b173e020c1796b1b73c08f1 1406
chkrootkit_0.58b-2.dsc
8127591e926a60e6da1ac428082ab6049d25d8afa6d1ccbb822256db365bdb11 95852
chkrootkit_0.58b-2.debian.tar.xz
be17b8dd64d61bc4a1ab801279cd606a27b4e5ee53d88938c8fa6afb4b8bcd52 5265
chkrootkit_0.58b-2_amd64.buildinfo
Files:
f94b342c15139cdaeda63e6972203668 1406 misc optional chkrootkit_0.58b-2.dsc
fc145af23d17753fafdbf02b9ac141e0 95852 misc optional
chkrootkit_0.58b-2.debian.tar.xz
3bb2337b79fcd480b637d1a965add300 5265 misc optional
chkrootkit_0.58b-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZvT8GAAKCRBRcisI/kdF
oudxAQCws7tT5FYAJ4jRAGsfTH1VzGd22o99TehjE7p5eop4RwD+NOVx4mqguxQr
9E3L+DwXTMrZizX58GAoJ1+ewK0VXwo=
=8cjE
-----END PGP SIGNATURE-----
pgpT0yhQxEJBz.pgp
Description: PGP signature
--- End Message ---
