Your message dated Mon, 21 Apr 2008 11:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#457828: fixed in chkrootkit 0.48-2
has caused the Debian Bug report #457828,
regarding chkrootkit: Killing a random PID with an arbitrary signal to test
whether it is a trojan is extremely unpolite
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
457828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: chkrootkit
Version: 0.47-1.1
Severity: critical
Justification: breaks unrelated software
In testing for the Enye LKM, chkrootkit sends signal 58 to PID 12345.
This has a chance of hitting any one process of 1/32767. On the
system I am typing this on in its current state, I have 350 processes
running, and it is not currently busy, so that's 1/100 chance of
hitting a process by random.
If the system is up for a while, and I run chkrootkit in a daily
cronjob, I can expect a random process to be sent signal 58 once every
100 days or so.
The other day, it killed gnuplot_x11, which I only noticed once I read
my mail saying chkrootkit had "Enye LKM found". It certainly
explained why a script of mine got confused, and I could tell it had
killed gnuplot_x11 because it was still in a zombie state, having not
yet been reaped by gnuplot, and it was running as pid 12345. There
are reports on the net of it killing other processes.
That signal number is not documented in 'man 7 signal', so I guess
it's not likely anything would install a signal handler than could
deal with 58. Presumably chkrootkit is hoping that signal would be
rejected by the kernel as invalid, but that assumption is invalid
today:
$ sleep 1000 &
[1] 19277
$ kill -58 19277
[1]+ Real-time signal 24 sleep 1000
$
Incidentally, the documentation of the tests in chkproc.c needs a lot
of work: 'man 2 kill' doesn't describe kill as ever being able to
return a positive error value, but of course it must, because I got
the "Enye LKM found" message. It took me a while to work out that
that code was trying to do anything other than detect for the presence
of pid 12345. Perhaps the signals it is sending could be better
documented, as to the test for the error return value, and indeed the
prevous test for the Adobe LKM, using an errno magic number instead of
symbolic name. And why it sends signal 100 to init first without
testing the result.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23 (SMP w/2 CPU cores)
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages chkrootkit depends on:
ii binutils 2.18.1~cvs20071027-2 The GNU assembler, linker and bina
ii debconf [debconf-2. 1.5.17 Debian configuration management sy
ii libc6 2.7-5 GNU C Library: Shared libraries
ii net-tools 1.60-19 The NET-3 networking toolkit
ii procps 1:3.2.7-5 /proc file system utilities
chkrootkit recommends no packages.
-- debconf information:
chkrootkit/run_daily: false
chkrootkit/run_daily_opts: -q
chkrootkit/diff_mode: false
--- End Message ---
--- Begin Message ---
Source: chkrootkit
Source-Version: 0.48-2
We believe that the bug you reported is fixed in the latest version of
chkrootkit, which is due to be installed in the Debian FTP archive:
chkrootkit_0.48-2.diff.gz
to pool/main/c/chkrootkit/chkrootkit_0.48-2.diff.gz
chkrootkit_0.48-2.dsc
to pool/main/c/chkrootkit/chkrootkit_0.48-2.dsc
chkrootkit_0.48-2_amd64.deb
to pool/main/c/chkrootkit/chkrootkit_0.48-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <[EMAIL PROTECTED]> (supplier of updated chkrootkit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 Apr 2008 22:41:11 +1200
Source: chkrootkit
Binary: chkrootkit
Architecture: source amd64
Version: 0.48-2
Distribution: unstable
Urgency: high
Maintainer: Francois Marier <[EMAIL PROTECTED]>
Changed-By: Francois Marier <[EMAIL PROTECTED]>
Description:
chkrootkit - rootkit detector
Closes: 234469 347879 402477 406493 411128 426068 436626 457828 466967 469724
Changes:
chkrootkit (0.48-2) unstable; urgency=high
.
* Remove check for Enye LKM, which was causing unrelated
software to die, hence the urgency (closes: #457828)
* Improve layout of main manpage (closes: #469724)
* Remove stripping in the upstream Makefile (closes: #436626)
* Add errors messages when commands are not found (closes: #347879)
* Fix shell history anomaly (closes: #402477)
* New option to exclude false positives from the list of reported
dotfiles (closes: #406493, #426068)
* Rename /proc/ksyms to /proc/kallsyms on 2.6 kernels (closes: #411128)
* Fix NFS-skipping -n option (closes: #234469)
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project. (closes: #466967)
Checksums-Sha1:
4f6af1cbe30f03dd76f563a7882006adebdaaffd 1161 chkrootkit_0.48-2.dsc
d6d6cdb52671e51a0fb8243bf9f862fe68f3764e 26810 chkrootkit_0.48-2.diff.gz
3b0542bfeba955187811a193b7612c192c036993 295908 chkrootkit_0.48-2_amd64.deb
Checksums-Sha256:
dd05f908758950d752fc4a950070b2670edcf22f7ec4a68483c47281881d64a1 1161
chkrootkit_0.48-2.dsc
f1e25e9680ec5eb9596e1efff12454fd271d9a46605cd27105d3d26be1a3f0fd 26810
chkrootkit_0.48-2.diff.gz
9d910ccacc9e705a8264f05a5a30a54ecbddbe857b5e3fa3deffedb05e6fa5f9 295908
chkrootkit_0.48-2_amd64.deb
Files:
1fbd98edd42d2a7099403ac43e9a0d72 1161 misc optional chkrootkit_0.48-2.dsc
cb31e97e7d55181b3dde3d6687c61eca 26810 misc optional chkrootkit_0.48-2.diff.gz
91ba6d5d6f40a3ae2189e0ec22a8620a 295908 misc optional
chkrootkit_0.48-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIDHBYScUZKBnQNIYRAr6KAKCU4Nm85ahMXSG7MLRc+NjY+UGg8gCfaCpU
eFuQGZBisxZY9uA74R5BWF0=
=nBA3
-----END PGP SIGNATURE-----
--- End Message ---
