Package: rkhunter Version: 1.4.2-5 Followup-For: Bug #816170 Tags: patch Find attached a patch, cherry-picked from upstream, that fixes the issue. Particular, it is c4d6d8b, 1e5e79a and b4a21a8.
Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[email protected]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
--- /usr/bin/rkhunter.distrib 2015-11-11 20:10:00.000000000 +0100
+++ /usr/bin/rkhunter 2016-04-25 19:12:08.675589473 +0100
@@ -13378,6 +13378,17 @@
PROCWHITELISTED=0
PROCDELFILES_GIVEN=0
+ #
+ # For this test we do not want to use globbing because it may match with
+ # files that actually exist. This could then lead to a false-positive for
+ # what should have been a whitelisted pathname. Instead we disable globbing,
+ # and then change the glob characters to regular expression ones. We also
+ # escape typical grep regex characters (e.g. '.'). The resulting regular
+ # expression is then matched against the deleted file pathname.
+ #
+
+ set -f
+
for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
RKHTMPVAR2=`echo "${RKHTMPVAR}" | awk -F ':/' '{ print $1 }'`
@@ -13387,15 +13398,16 @@
if [ $PROCDELFILES_GIVEN -eq 1 ]; then
RKHTMPVAR3=`echo "${RKHTMPVAR}" | awk -F ':/' '{ for (i = 2; i <= NF; i++) { a[i] = $i } } END { for (i in a) { print "/" a[i] } }'`
- # Now expand the deleted file pathnames.
- RKHTMPVAR3=`expand_paths RKHTMPVAR3`
+ FNAMEGREP=""
- # We must reset the IFS because 'expand_paths' sets it to the default.
- IFS=$IFSNL
+ for FN in ${RKHTMPVAR3}; do
+ FNGREP=`echo "${FN}" | sed -e 's/\([.$]\)/\\\\\1/g; s/\([^\\]\)\*/\1.*/g; s/\([^\\]\)?/\1./g;'`
+ FNAMEGREP="${FNAMEGREP}|${FNGREP}"
+ done
- FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
+ FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's/^|//;'`
- if [ -n "`echo \"${FNAME}\" | grep \"^${FNAMEGREP}$\"`" ]; then
+ if [ -n "`echo \"${FNAME}\" | egrep \"^(${FNAMEGREP})$\"`" ]; then
PROCWHITELISTED=1
fi
else
@@ -13406,6 +13418,8 @@
fi
done
+ set +f
+
test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""
signature.asc
Description: PGP signature
_______________________________________________ forensics-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
