[SRU] chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 valid packages

Confirming; the same can be seen on my system. However, given that these are false positives, and *some* false positives are to be expected when dealing with security testing software, setting prioriy to Low.

Fabián, if you feel this needs to be re-evaluated, don't hesitate to bring it up :)

This is a well-known issue, and is mentioned in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES and in the upstream FAQ: http://www.chkrootkit.org/faq/#8

Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places.

That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives.

I have uploaded chkrootkit packages for hardy that contain the patch to my PPA here:

https://launchpad.net/~mdeslaur/+archive/testing

Please test and leave feedback. Once it's been tested, I'll start the SRU procedures, although it may not be accepted.

The package in the PPA works as expected.

SRU Request:

Impact: chkrootkit tool reports false positives in hardy, and the option to ignore certain known false positives is only present in later versions. This impacts the usefulness of the tool.

This has been addressed by backporting the "-e" option from the newer release to let administrators set a whitelist.

A minimal debdiff is attached.

Accepted chkrootkit into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

SRU Verification Hardy

I've verified that the version 0.47-1.1ubuntu0.2 in -proposed ignores files in the exclusion list with the -e option. My only concern is a documentation issue because the new option is not documented in the manpage. Could you please update it too ?

2 other comments but unrelated to the SRU since it's in Maverick too and should be reported upstream:
1. Misleading documentation: -e requires a list of files/dirs (only -e without argument is specified in --help and man)
2. When -e is used without argument, it displays a meaningless error 'shift: 2659: can't shift that many'

Bug 597623 filed for the last 2 points.

Thanks for the verification Jean-Baptiste. I have uploaded 0.47-1.1ubuntu0.3 to -proposed with the suggested manpage change.

Version 0.47-1.1ubuntu0.3 accepted into hardy-proposed which adds the manpage option. Please check and report back here. Thanks!

Verification-done in hardy with 0.47-1.1ubuntu0.3 in -proposed.
Many thanks for the update Marc.

According to the bug trail this is fixed in jaunty and above.

This bug was fixed in the package chkrootkit - 0.47-1.1ubuntu0.3

---------------
chkrootkit (0.47-1.1ubuntu0.3) hardy-proposed; urgency=low

  * debian/chkrootkit.1: Added -e option to manpage, as suggested by
    SRU verification. (LP: #575945)
 -- Marc Deslauriers <email address hidden> Wed, 23 Jun 2010 08:26:53 -0400