[Bug 2071465] [NEW] chkrootkit should not treat legitimate files as suspicious

Lupe Christoph Fri, 28 Jun 2024 05:55:34 -0700

Public bug reported:

Ubuntu release: Ubuntu 24.04 LTS
chkrootkit:
  Installed: 0.58b-1
  Candidate: 0.58b-1
  Version table:
 *** 0.58b-1 500
        500 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
        100 /var/lib/dpkg/status


I expect chkrootkit to "know" about legitimate files.

What happened is this:

 WARNING: The following suspicious files and directories were found:
+/usr/lib/debug/.build-id
+/usr/lib/debug/.dwz
+/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
+/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
+/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
+/usr/lib/modules/6.8.0-36-generic/vdso/.build-id
+/usr/lib/modules/6.8.0-35-generic/vdso/.build-id
+/usr/lib/modules/6.5.0-41-generic/vdso/.build-id
+/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore
+/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore
+/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep
+/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore
+/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js
+/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc
+/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
+/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
+/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
+/usr/lib/jvm/.java-1.21.0-openjdk-amd64.jinfo
+/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
+/usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo
+/usr/lib/libreoffice/share/.registry

Most of these are known to dpkg:

libc6-dbg:amd64: /usr/lib/debug/.build-id
syslinux-utils: /usr/lib/debug/.dwz
ruby-rubygems: /usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
ruby-rubygems: /usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
ruby-rubygems: /usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
dpkg-query: no path found matching pattern 
/usr/lib/modules/6.8.0-36-generic/vdso/.build-id
dpkg-query: no path found matching pattern 
/usr/lib/modules/6.8.0-35-generic/vdso/.build-id
dpkg-query: no path found matching pattern 
/usr/lib/modules/6.5.0-41-generic/vdso/.build-id
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js
python3-matplotlib: 
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc
python3-numpy: 
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
python3-numpy: 
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
openjdk-11-jre-headless:amd64: /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
openjdk-21-jre-headless:amd64: /usr/lib/jvm/.java-1.21.0-openjdk-amd64.jinfo
openjdk-17-jre-headless:amd64: /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
openjdk-8-jre-headless:amd64: /usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo
libreoffice-common, libreoffice-l10n-de, libreoffice-base, libreoffice-draw, 
libreoffice-impress, libreoffice-math, libreoffice-sdbc-firebird, 
libreoffice-calc, libreoffice-writer: /usr/lib/libreoffice/share/.registry

The .build-id are still legitimate.

It should not be necessary to put all these pathes in
/etc/chkrootkit/chkrootkit.ignore

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: chkrootkit 0.58b-1
ProcVersionSignature: Ubuntu 6.8.0-35.35-generic 6.8.4
Uname: Linux 6.8.0-35-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Fri Jun 28 14:32:55 2024
InstallationDate: Installed on 2014-12-22 (3476 days ago)
InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: chkrootkit
UpgradeStatus: Upgraded to noble on 2024-06-21 (7 days ago)
mtime.conffile..etc.chkrootkit.chkrootkit.ignore: 2024-06-23T18:13:25.772907

** Affects: chkrootkit (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug noble

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2071465

Title:
  chkrootkit should not treat legitimate files as suspicious

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/2071465/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2071465] [NEW] chkrootkit should not treat legitimate files as suspicious

Reply via email to