Re: ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)

To: RL <richard.lewis.debian@googlemail.com>, debian-security-tools@lists.debian.org
Subject: Re: ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)
From: Marcos Fouces <marcos@debian.org>
Date: Mon, 01 Nov 2021 11:31:13 +0100
Message-id: <[🔎] 623662de67f6ec2d0148697f75eedce9b9515152.camel@gmail.com>
In-reply-to: <86r1c5apwo.fsf@simplex.rtf.org.uk>
References: <86ilygj47r.fsf@simplex.rtf.org.uk> <8ee8094d7c812ed4273d1bc4503c07ea16cb0c9f.camel@gmail.com> <861r53hsfk.fsf_-_@simplex.rtf.org.uk> <086d6d235c6e5d95a2f1d61533e4d4ff79f572f4.camel@gmail.com> <86r1c5apwo.fsf@simplex.rtf.org.uk>

Hi richard
I will try to review it this week.

You seem to have worked a lot!

Greetings. arcos

El jue, 28-10-2021 a las 20:51 +0100, RL escribió:
> Marcos Fouces <marcos.fouces@gmail.com>
> writes:
> 
> > Upstream was agree to do a deeper review of all patches in the
> > package
> > and include them (or not) in the next release.
> > 
> 
> This is fantastic, I've been looking through bugs and what started as a
> simple "allow the cron job to run under ionice" grew a bit - I decided
> i
> should add some autopkgtests and that led to spotting quite a few
> things, some of which were already in the bug list and some were not
> (but could be - i wasnt sure it was worth reporting, but i can do.)
> 
> I've submitted a merge-request that fixes about 8 of the 16 bugs
> reported. Unfortunately i needed to add a few more patches (but only to
> fix things)
> 
> The tests works for me when i build the package with gbp and sbuild,
> however
> * the salsa the ci system tries to run the autopkgtests but it hangs
> running the chkrootkit binary. If i read the logs right, salsa is using
> lxc and
> bug #872379 does say chkrootkit hangs inside lxc.
> 
> I will investigate but lxc but I thought i would submit the merge
> request before expanding it further!
> 
> Let me know what you think.
> 
> Richard
> 
> > Greetings,
> > Marcos
> > 
> > 
> > El dom, 03-10-2021 a las 01:18 +0100, RL escribió:
> > > Marcos Fouces <marcos@debian.org> writes:
> > > 
> > > > Hello Richard, 
> > > > 
> > > > i merged your requests for chkrootkit.
> > > > 
> > > > IMHO, the best way to start contributing is exactly what you did!
> > > > (Merge requests)
> > > 
> > > Thanks, this is good news :).
> > > 
> > > I started looking at the code and bugs, but got side-tracked: It
> > > seems
> > > to me that patch 27 (from july 2020) in debian/patches is
> > > problematic. I
> > > was not able to understand most of what patch 27 is trying to do,
> > > but
> > > it
> > > seems to me that:
> > > 
> > > 1. Patch 27 is re-introducing an "interesting feature" where
> > > chkproc
> > >   (a C programme run by chkrootkit) sends kill signals to pid 1
> > >   and 12345 see if they might be rootkits (!). These are in the
> > >   upsteam code, but in 2008 debian's patch #5 commented out that
> > > code
> > > to
> > >   fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828
> > > 
> > >   Patch 27 has apparently reversed this fix and the debian version
> > > of
> > >   chkproc.c (after all debian's patching) includes the kill signals
> > >   again. (i think they occur less often than before, so maybe the
> > > new
> > >   bug is less 'critical')
> > > 
> > > 2. Patch 27 is also the sole cause of the "OooPS" messages reported
> > > in
> > >     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982998
> > > 
> > >   These come from MAX_PROCESSES in chkproc.c being too low.
> > > upstream
> > > has
> > >   set MAX_PROCESSES to > 4 million since 2014, but patch 27
> > > apparently
> > >   reset it back to 99999. 
> > > 
> > > I think someone more knowledgable in C than me should look at this
> > > patch
> > > and see whether it is valid or not.
> > > 
>

Reply to:

Next by Date: Re: pocsuite3_1.7.7-1_amd64.changes REJECTED
Next by thread: Re: ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)
Index(es):
- Date
- Thread