Source: rkhunter
Source-Version: 1.4.6-3
Severity: important
User: debian-d...@lists.debian.org
Usertags: dpkg-db-access-blocker
Hi!
This package contains a script that directly access the dpkg internal
database [S], instead of using the correct public interface
«dpkg --verify» (note that it currently does not return an error exit
code when it finds modified files, that will be fixed in 1.19.3, but
you can always just check the output). If the code also needs to check
whether the package is installed it could use something like
«dpkg-query --showformat='${db:Status-Status}' --show PKGNAME» (or use
a format of '${binary:Package} ${db:Status-Status}\n' and then pass no
package name to get all packages).
[S] files/rkhunter
This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.
Thanks,
Guillem
