[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)

Marcos Fouces <marcos.fouces@gmail.com>
writes:

> Upstream was agree to do a deeper review of all patches in the package
> and include them (or not) in the next release.
>

This is fantastic, I've been looking through bugs and what started as a
simple "allow the cron job to run under ionice" grew a bit - I decided i
should add some autopkgtests and that led to spotting quite a few
things, some of which were already in the bug list and some were not
(but could be - i wasnt sure it was worth reporting, but i can do.)

I've submitted a merge-request that fixes about 8 of the 16 bugs
reported. Unfortunately i needed to add a few more patches (but only to
fix things)

The tests works for me when i build the package with gbp and sbuild, however
* the salsa the ci system tries to run the autopkgtests but it hangs
running the chkrootkit binary. If i read the logs right, salsa is using lxc and
bug #872379 does say chkrootkit hangs inside lxc.

I will investigate but lxc but I thought i would submit the merge
request before expanding it further!

Let me know what you think.

Richard

> Greetings,
> Marcos
>
>
> El dom, 03-10-2021 a las 01:18 +0100, RL escribió:
>> Marcos Fouces <marcos@debian.org> writes:
>> 
>> > Hello Richard, 
>> > 
>> > i merged your requests for chkrootkit.
>> > 
>> > IMHO, the best way to start contributing is exactly what you did!
>> > (Merge requests)
>> 
>> Thanks, this is good news :).
>> 
>> I started looking at the code and bugs, but got side-tracked: It
>> seems
>> to me that patch 27 (from july 2020) in debian/patches is
>> problematic. I
>> was not able to understand most of what patch 27 is trying to do, but
>> it
>> seems to me that:
>> 
>> 1. Patch 27 is re-introducing an "interesting feature" where chkproc
>>   (a C programme run by chkrootkit) sends kill signals to pid 1
>>   and 12345 see if they might be rootkits (!). These are in the
>>   upsteam code, but in 2008 debian's patch #5 commented out that code
>> to
>>   fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828
>> 
>>   Patch 27 has apparently reversed this fix and the debian version of
>>   chkproc.c (after all debian's patching) includes the kill signals
>>   again. (i think they occur less often than before, so maybe the new
>>   bug is less 'critical')
>> 
>> 2. Patch 27 is also the sole cause of the "OooPS" messages reported
>> in
>>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982998
>> 
>>   These come from MAX_PROCESSES in chkproc.c being too low. upstream
>> has
>>   set MAX_PROCESSES to > 4 million since 2014, but patch 27
>> apparently
>>   reset it back to 99999. 
>> 
>> I think someone more knowledgable in C than me should look at this
>> patch
>> and see whether it is valid or not.
>>
Reply to: