false positive on tcpd

Bug #1808882 reported by Ryan Hoover on 2018-12-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chkrootkit (Debian)
Fix Committed
chkrootkit (Ubuntu)
Status tracked in Disco
Thomas Ward
Thomas Ward
Thomas Ward

Bug Description


chkrootkit will return false positives for tcpd detections as "infected" when tcpd is not present on a system.

[Test Case]

 * Install chkrootkit, run chkrootkit checks.

 * Without the patch, chkrootkit should return "INFECTED" in its detections for tcpd.

 * With the debdiff, it should say "not present" or "not infected".

[Regression Potential]

 * Regression risk is limited. The only change with this patch and debdiff is that we reinitialize the CMD variable in the test to "empty" before utilizing CMD, which clears the bug if "/bin/tar" from the previous test being still used in the script for testing tcpd. No other chkrootkit bits are, based on my testing, affected by this change.

[Other Info]

 * Patch was provided by Francois Mariner from Debian

[Original Description]

This has apparently been a thing since at least 16.04

Install a clean version of Ubuntu, install chkrootkit, run a check.

tcpd will report as infected.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: chkrootkit 0.52-1
ProcVersionSignature: Ubuntu 4.15.0-42.45-lowlatency 4.15.18
Uname: Linux 4.15.0-42-lowlatency x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Dec 17 18:30:29 2018
InstallationDate: Installed on 2018-12-05 (12 days ago)
InstallationMedia: Ubuntu-MATE 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
SourcePackage: chkrootkit
UpgradeStatus: No upgrade log present (probably fresh install)

Ryan Hoover (rhoover84) wrote :
Andreas Hasenack (ahasenack) wrote :

Thanks for reporting this. Confirmed in disco (upcoming 19.04) too.

Changed in chkrootkit (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
importance: Medium → Low
François Marier (fmarier) wrote :

Here's a patch to fix this in the package. It's based on the solution from https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

I also added a fixed package for 18.04 in my PPA: https://launchpad.net/~fmarier/+archive/ubuntu/ppa

The attachment "24_fix_chktcpd.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: server-next
tags: added: bitesize
Thomas Ward (teward) wrote :

This bug also exists in Disco and Cosmic. Nominating for all three series and adding tags accordingly. I will test if this is in Xenial as soon as I finish prepping my Xenial test VM.

(To help the Server Team with this, I'll grab this one and help prep the upload for Disco with a fix, but also help prep SRUs for Cosmic and Bionic)

Changed in chkrootkit (Ubuntu):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) wrote :

Note that testing this in Xenial, I don't see this affecting Xenial 16.04. This seems to be something for Bionic, Cosmic, and Disco only.

Thomas Ward (teward) wrote :

Attached is the debdiff of the packaging changes that will fix this issue and apply the patch for Disco.

Note that the patch's number was renamed to 26 because we have other patches since the patch was suggested imported due to Debian syncs; this is reflected in the corresponding debdiffs.

Changed in chkrootkit (Ubuntu Cosmic):
status: New → Triaged
Changed in chkrootkit (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → Low
Changed in chkrootkit (Ubuntu Cosmic):
importance: Undecided → Low
Changed in chkrootkit (Ubuntu Bionic):
assignee: nobody → Thomas Ward (teward)
Changed in chkrootkit (Ubuntu Cosmic):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) wrote :

Note that I do not have upload access for chkrootkit at this time, as such I am subscribing ubuntu-sponsors to this bug. Once the Disco patch is applied, I will provide additional debdiffs addressing this in Cosmic and Bionic.

Package builds of these changes are present in https://launchpad.net/~teward/+archive/ubuntu/packages/+packages with slightly different version strings for Disco, but are there nonetheless present for testing.

Thomas Ward (teward) wrote :

At Robie Basak's suggest, I am also uploading the Bionic and Cosmic debdiffs as well.

Thomas Ward (teward) wrote :

Bionic debdiff

Thomas Ward (teward) wrote :

Cosmic debdiff

Thomas Ward (teward) on 2019-01-29
tags: added: cosmic disco
Changed in chkrootkit (Debian):
status: Unknown → New
Thomas Ward (teward) wrote :

I emailed upstream about this and they indicated that this issue is fixed in a future release of chkrootkit. This release does not have a timeline though, so I do not know when exactly this will land upstream.

Thomas Ward (teward) on 2019-02-07
description: updated
Thomas Ward (teward) wrote :

Updated cosmic patch due to duplicate patch being included in d/patches.

Robie Basak (racb) wrote :

Uploaded to Bionic, Cosmic and Disco. Thanks!

SRUs now awaiting SRU team review (I can't now do it because I sponsored).

Changed in chkrootkit (Ubuntu Bionic):
status: Triaged → In Progress
Changed in chkrootkit (Ubuntu Cosmic):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chkrootkit - 0.52-2ubuntu1

chkrootkit (0.52-2ubuntu1) disco; urgency=medium

  * d/patches/26_fix_chktcpd.patch: Apply patch to fix tcpd false-positive
    detections. (LP: #1808882)
    Thanks to Francois Marier for the patch.

 -- Thomas Ward <email address hidden> Tue, 29 Jan 2019 16:32:49 -0500

Changed in chkrootkit (Ubuntu Disco):
status: Triaged → Fix Released

Hello Ryan, or anyone else affected,

Accepted chkrootkit into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/chkrootkit/0.52-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in chkrootkit (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in chkrootkit (Debian):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.