[SRU] chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 valid packages
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | chkrootkit (Ubuntu) |
Low
|
Marc Deslauriers | ||
| | Hardy |
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: chkrootkit
Id like to request an SRU for this package.
IMPACT: It produces false positives for common desktop applications. chkrootdisk is suggested as one of many security tools to install in our official docs:
https:/
HOW IT S BEEN ADRESSED: This is a know issue that has been addressed in the next version that came out. Specifically, an option has been added to ignore false positives (#406493, #426068 according to changelog for version 0.48-5).
Steps to reproduce:
- Make sure Firefox 3 and Sun Java JRE 6 are installed (firefox-3.0 sun-java6-jre)
- Install chkrootkit
- sudo chkrootkit -q
Output:
The following suspicious files and directories were found:
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/lib/modules/
/usr/bin/find: //home/
/usr/bin/find: //home/
eth0: PACKET SNIFFER(
ProblemType: Bug
Architecture: i386
Date: Wed May 5 14:28:57 2010
DistroRelease: Ubuntu 8.04
Package: chkrootkit 0.47-1.1ubuntu0.1
PackageArchitec
ProcEnviron:
PATH=/
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: chkrootkit
Uname: Linux 2.6.24-27-generic i686
Related branches
| Fabián Rodríguez (magicfab) wrote : | #1 |
| Changed in chkrootkit (Ubuntu): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in chkrootkit (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| Marc Deslauriers (mdeslaur) wrote : | #3 |
This is a well-known issue, and is mentioned in /usr/share/
Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places.
That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives.
| Marc Deslauriers (mdeslaur) wrote : | #4 |
I have uploaded chkrootkit packages for hardy that contain the patch to my PPA here:
https:/
Please test and leave feedback. Once it's been tested, I'll start the SRU procedures, although it may not be accepted.
| Changed in chkrootkit (Ubuntu): | |
| status: | Confirmed → Incomplete |
| Jonathan Davies (jpds) wrote : | #5 |
The package in the PPA works as expected.
| Changed in chkrootkit (Ubuntu): | |
| status: | Incomplete → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #6 |
SRU Request:
Impact: chkrootkit tool reports false positives in hardy, and the option to ignore certain known false positives is only present in later versions. This impacts the usefulness of the tool.
This has been addressed by backporting the "-e" option from the newer release to let administrators set a whitelist.
A minimal debdiff is attached.
| summary: |
- chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 valid - packages + [SRU] chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 + valid packages |
Accepted chkrootkit into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
| Changed in chkrootkit (Ubuntu Hardy): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed |
| Jean-Baptiste Lallement (jibel) wrote : | #8 |
SRU Verification Hardy
I've verified that the version 0.47-1.1ubuntu0.2 in -proposed ignores files in the exclusion list with the -e option. My only concern is a documentation issue because the new option is not documented in the manpage. Could you please update it too ?
2 other comments but unrelated to the SRU since it's in Maverick too and should be reported upstream:
1. Misleading documentation: -e requires a list of files/dirs (only -e without argument is specified in --help and man)
2. When -e is used without argument, it displays a meaningless error 'shift: 2659: can't shift that many'
| Jean-Baptiste Lallement (jibel) wrote : | #9 |
Bug 597623 filed for the last 2 points.
| Marc Deslauriers (mdeslaur) wrote : | #10 |
Thanks for the verification Jean-Baptiste. I have uploaded 0.47-1.1ubuntu0.3 to -proposed with the suggested manpage change.
| Martin Pitt (pitti) wrote : | #11 |
Version 0.47-1.1ubuntu0.3 accepted into hardy-proposed which adds the manpage option. Please check and report back here. Thanks!
| Jean-Baptiste Lallement (jibel) wrote : | #12 |
Verification-done in hardy with 0.47-1.1ubuntu0.3 in -proposed.
Many thanks for the update Marc.
| tags: |
added: verification-done removed: verification-needed |
| Martin Pitt (pitti) wrote : | #13 |
According to the bug trail this is fixed in jaunty and above.
| Changed in chkrootkit (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package chkrootkit - 0.47-1.1ubuntu0.3
---------------
chkrootkit (0.47-1.1ubuntu0.3) hardy-proposed; urgency=low
* debian/
SRU verification. (LP: #575945)
-- Marc Deslauriers <email address hidden> Wed, 23 Jun 2010 08:26:53 -0400
| Changed in chkrootkit (Ubuntu Hardy): | |
| status: | Fix Committed → Fix Released |
Confirming; the same can be seen on my system. However, given that these are false positives, and *some* false positives are to be expected when dealing with security testing software, setting prioriy to Low.
Fabián, if you feel this needs to be re-evaluated, don't hesitate to bring it up :)