Package: chkrootkit Version: 0.52-2 Severity: normal Tags: patch Under certain circumstances, the CMD variable in chk_tcpd is incorrectly initialized and this leads to a false positive: erroneously reported an infected tcpd.
The attached patch fixes this for me in Ubuntu 18.04 but it makes sense to include it in Debian as well. Thanks to https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733 for identifying the problem. Link to the Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1808882 Francois -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8), LANGUAGE=fr_CA.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chkrootkit depends on: ii binutils 2.31.1-11 ii debconf [debconf-2.0] 1.5.69 ii libc6 2.28-4 ii net-tools 1.60+git20180626.aebd88e-1 ii openssh-client 1:7.9p1-4 ii procps 2:3.3.15-2 chkrootkit recommends no packages. chkrootkit suggests no packages. -- debconf information: chkrootkit/diff_mode: false chkrootkit/run_daily_opts: -q * chkrootkit/run_daily: false
Author: Francois Marier <franc...@debian.org> Description: Reinitialize variable in check_tcpd Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1808882 --- a/chkrootkit 2019-01-13 14:30:39.608931525 -0800 +++ b/chkrootkit 2019-01-13 15:05:53.496917560 -0800 @@ -2588,6 +2588,7 @@ chk_tcpd () { STATUS=${NOT_INFECTED} TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" + CMD= [ -r ${ROOTDIR}etc/inetd.conf ] && CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \