ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)
Marcos Fouces <marcos@debian.org> writes:
> Hello Richard,
>
> i merged your requests for chkrootkit.
>
> IMHO, the best way to start contributing is exactly what you did!
> (Merge requests)
Thanks, this is good news :).
I started looking at the code and bugs, but got side-tracked: It seems
to me that patch 27 (from july 2020) in debian/patches is problematic. I
was not able to understand most of what patch 27 is trying to do, but it
seems to me that:
1. Patch 27 is re-introducing an "interesting feature" where chkproc
(a C programme run by chkrootkit) sends kill signals to pid 1
and 12345 see if they might be rootkits (!). These are in the
upsteam code, but in 2008 debian's patch #5 commented out that code to
fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828
Patch 27 has apparently reversed this fix and the debian version of
chkproc.c (after all debian's patching) includes the kill signals
again. (i think they occur less often than before, so maybe the new
bug is less 'critical')
2. Patch 27 is also the sole cause of the "OooPS" messages reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982998
These come from MAX_PROCESSES in chkproc.c being too low. upstream has
set MAX_PROCESSES to > 4 million since 2014, but patch 27 apparently
reset it back to 99999.
I think someone more knowledgable in C than me should look at this patch
and see whether it is valid or not.
Reply to: