226067 2008-06-12 13:38 0000 chkrootkit-0.47: shell history anomalies warning for linked files uses wrong file list 2008-10-06 19:46:21 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED P2 normal --- 1 prote@fmi.uni-stuttgart.de forensics@gentoo.org prote@fmi.uni-stuttgart.de 2008-06-12 13:38:18 0000 In its "shell history anomalies" part chkrootkit collects two lists of anomalous history files: - $files: file size is zero - $files1: is linked to another file But when the according warning is written both times $files is used. For details see the attached diff. Reproducible: Always Steps to Reproduce: None of the files target, .link-history and .empty-history should exist. 1. echo Hallo > target 2. ln target .link-history 3. touch .empty-history 4. chkrootkit Actual Results: ... Searching for anomalies in shell history files... Warning: `//root/.empty-history' file size is zero Warning: `//root/.empty-history' is linked to another file ... Expected Results: ... Searching for anomalies in shell history files... Warning: `//root/.empty-history' file size is zero Warning: `//root/.link-history' is linked to another file ... prote@fmi.uni-stuttgart.de 2008-06-12 13:40:09 0000 Created an attachment (id=156497) diff between the original and corrected chkrootkit script pva@gentoo.org 2008-10-06 19:46:21 0000 Fixed in chkrootkit-0.48. Thank you for report and fix. 156497 2008-06-12 13:40 0000 diff between the original and corrected chkrootkit script chkrootkit.diff text/plain KioqIC91c3Ivc2Jpbi9jaGtyb290a2l0Lm9yaWcJVGh1IEp1biAxMiAxNToyMDowMSAyMDA4Ci0t LSAvdXNyL3NiaW4vY2hrcm9vdGtpdAlUaHUgSnVuIDEyIDE1OjI4OjA5IDIwMDgKKioqKioqKioq KioqKioqCioqKiAxMDk4LDExMDQgKioqKgogICAgICAgICAgZWNobyAiV2FybmluZzogXGAke2Zp bGVzfScgZmlsZSBzaXplIGlzIHplcm8iCiAgICAgICAgZmlsZXMxPWAke2ZpbmR9ICR7Uk9PVERJ Un0ke0hPTUV9ICR7ZmluZGFyZ3N9IC1uYW1lICcuKmhpc3RvcnknIFwoIC1saW5rcyAyIC1vIC10 eXBlIGwgXClgCiAgICAgICAgWyAhIC16ICIke2ZpbGVzMX0iIF0gJiYgXAohICAgICAgICAgZWNo byAiV2FybmluZzogXGAke2ZpbGVzfScgaXMgbGlua2VkIHRvIGFub3RoZXIgZmlsZSIKICAgICBm aQogICAgIGlmIFsgLXogIiR7ZmlsZXN9IiAtYSAteiAiJHtmaWxlczF9IiBdOyB0aGVuCiAgICAg ICAgaWYgWyAiJHtRVUlFVH0iICE9ICJ0IiBdOyB0aGVuIGVjaG8gIm5vdGhpbmcgZm91bmQiOyBm aQotLS0gMTA5OCwxMTA0IC0tLS0KICAgICAgICAgIGVjaG8gIldhcm5pbmc6IFxgJHtmaWxlc30n IGZpbGUgc2l6ZSBpcyB6ZXJvIgogICAgICAgIGZpbGVzMT1gJHtmaW5kfSAke1JPT1RESVJ9JHtI T01FfSAke2ZpbmRhcmdzfSAtbmFtZSAnLipoaXN0b3J5JyBcKCAtbGlua3MgMiAtbyAtdHlwZSBs IFwpYAogICAgICAgIFsgISAteiAiJHtmaWxlczF9IiBdICYmIFwKISAgICAgICAgIGVjaG8gIldh cm5pbmc6IFxgJHtmaWxlczF9JyBpcyBsaW5rZWQgdG8gYW5vdGhlciBmaWxlIgogICAgIGZpCiAg ICAgaWYgWyAteiAiJHtmaWxlc30iIC1hIC16ICIke2ZpbGVzMX0iIF07IHRoZW4KICAgICAgICBp ZiBbICIke1FVSUVUfSIgIT0gInQiIF07IHRoZW4gZWNobyAibm90aGluZyBmb3VuZCI7IGZpCg==