Your message dated Sat, 26 Jul 2008 09:40:23 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#421864: fixed in chkrootkit 0.47-2
has caused the Debian Bug report #421864,
regarding chkrootkit: Killing a random PID with an arbitrary signal to test
whether it is a trojan is extremely unpolite
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
421864: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421864
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: chkrootkit
Version: 0.47-1.1
Severity: critical
Justification: breaks unrelated software
In testing for the Enye LKM, chkrootkit sends signal 58 to PID 12345.
This has a chance of hitting any one process of 1/32767. On the
system I am typing this on in its current state, I have 350 processes
running, and it is not currently busy, so that's 1/100 chance of
hitting a process by random.
If the system is up for a while, and I run chkrootkit in a daily
cronjob, I can expect a random process to be sent signal 58 once every
100 days or so.
The other day, it killed gnuplot_x11, which I only noticed once I read
my mail saying chkrootkit had "Enye LKM found". It certainly
explained why a script of mine got confused, and I could tell it had
killed gnuplot_x11 because it was still in a zombie state, having not
yet been reaped by gnuplot, and it was running as pid 12345. There
are reports on the net of it killing other processes.
That signal number is not documented in 'man 7 signal', so I guess
it's not likely anything would install a signal handler than could
deal with 58. Presumably chkrootkit is hoping that signal would be
rejected by the kernel as invalid, but that assumption is invalid
today:
$ sleep 1000 &
[1] 19277
$ kill -58 19277
[1]+ Real-time signal 24 sleep 1000
$
Incidentally, the documentation of the tests in chkproc.c needs a lot
of work: 'man 2 kill' doesn't describe kill as ever being able to
return a positive error value, but of course it must, because I got
the "Enye LKM found" message. It took me a while to work out that
that code was trying to do anything other than detect for the presence
of pid 12345. Perhaps the signals it is sending could be better
documented, as to the test for the error return value, and indeed the
prevous test for the Adobe LKM, using an errno magic number instead of
symbolic name. And why it sends signal 100 to init first without
testing the result.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23 (SMP w/2 CPU cores)
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages chkrootkit depends on:
ii binutils 2.18.1~cvs20071027-2 The GNU assembler, linker and bina
ii debconf [debconf-2. 1.5.17 Debian configuration management sy
ii libc6 2.7-5 GNU C Library: Shared libraries
ii net-tools 1.60-19 The NET-3 networking toolkit
ii procps 1:3.2.7-5 /proc file system utilities
chkrootkit recommends no packages.
-- debconf information:
chkrootkit/run_daily: false
chkrootkit/run_daily_opts: -q
chkrootkit/diff_mode: false
--- End Message ---
--- Begin Message ---
Source: chkrootkit
Source-Version: 0.47-2
We believe that the bug you reported is fixed in the latest version of
chkrootkit, which is due to be installed in the Debian FTP archive:
chkrootkit_0.47-2.diff.gz
to pool/main/c/chkrootkit/chkrootkit_0.47-2.diff.gz
chkrootkit_0.47-2.dsc
to pool/main/c/chkrootkit/chkrootkit_0.47-2.dsc
chkrootkit_0.47-2_amd64.deb
to pool/main/c/chkrootkit/chkrootkit_0.47-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <[EMAIL PROTECTED]> (supplier of updated chkrootkit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 25 Apr 2008 11:01:00 +1200
Source: chkrootkit
Binary: chkrootkit
Architecture: source amd64
Version: 0.47-2
Distribution: stable
Urgency: low
Maintainer: Francois Marier <[EMAIL PROTECTED]>
Changed-By: Francois Marier <[EMAIL PROTECTED]>
Description:
chkrootkit - Checks for signs of rootkits on the local system
Closes: 421864
Changes:
chkrootkit (0.47-2) stable; urgency=low
.
* Remove Enye check which was killing random applications (closes: #421864)
* Set myself as maintainer since the package has been orphaned
Files:
b78884bf7fa7689da62291c756f993b4 606 misc optional chkrootkit_0.47-2.dsc
214e4e4cdca809cfd4b6d15cc022247b 20312 misc optional chkrootkit_0.47-2.diff.gz
8eb4c9c8dcb29b9057d3c020149fc150 292468 misc optional
chkrootkit_0.47-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIERFsScUZKBnQNIYRAtayAJ9/iyclktNbocXGxIwxFm+f54+SwACeNKHe
N14v4PDS4RnGr1oJ+zr5qn4=
=vWET
-----END PGP SIGNATURE-----
--- End Message ---
