Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471288 - =app-forensics/rkhunter-1.4.0 with >=app-forensics/unhide-20120905 - rkhunter scrapes unhide output incorrectly
Summary: =app-forensics/rkhunter-1.4.0 with >=app-forensics/unhide-20120905 - rkhunte...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Forensics Herd [disbanded]
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2013-05-26 02:13 UTC by Coacher
Modified: 2014-06-29 17:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
rkhunter-unhide.patch (rkhunter-unhide.patch,525 bytes, patch)
2013-05-26 02:17 UTC, Coacher
Details | Diff
rkhunter-1.4.0.unhide.patch (rkhunter-1.4.0.unhide.patch,532 bytes, text/plain)
2014-06-29 15:53 UTC, Coacher
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Coacher 2013-05-26 02:13:27 UTC
rkhunter can use unhide for hidden_procs testsuite. However, there is a problem with recent unhide versions (>=20120905). It is that unhide prints some program/copyright/license info on each invocation. This message cannot be supressed by any unhide option. However, rkhunter knows about this and filters unhide output. rkhunter aware of the message text in old versions, but in newer versions of unhide this message changed and therefore rkhunter detects false positives when running hidden_procs test.

Suggested rkhunter patch attached below.

Reproducible: Always
Comment 1 Coacher 2013-05-26 02:17:25 UTC
Created attachment 349188 [details, diff]
rkhunter-unhide.patch

This patch expands rkunter filtering of unhide output allowing it to work properly with newer versions. Also I've dropped "yjesus@"-strings filtering as this output is never printed by any version of unhide in portage. The only occurence of "yjesus@"-string is in man of unhide-20110113 and therefore this filter can be painlessly omitted.
Comment 2 Coacher 2013-05-31 15:53:59 UTC
Suggested patch also properly handles unhide-20130526.
Comment 3 G.Wolfe Woodbury 2014-03-08 21:52:02 UTC
I can confirm this error.

The proposed patch will work (very similar to my own fix)

If you apply the patch locally, you will need to run the command:

   # rkhunter --propupd rkhunter

to prevent rkhunter from reporting itself as suspicious.
Additionally, some recent Gentoo updates have altered some of the commands that rkhunter checks.  Repeat the (appropriately altered) command above to reset rkhunter's database.
Comment 4 G.Wolfe Woodbury 2014-03-08 21:54:09 UTC
There is a new upstream release (1.4.2) that adds some significant features.

rkhunter should be updated to 1.4.2
Comment 5 Coacher 2014-03-08 22:24:26 UTC
(In reply to G.Wolfe Woodbury from comment #4)
> There is a new upstream release (1.4.2) that adds some significant features.
> 
> rkhunter should be updated to 1.4.2

You really should open a separate bug for this.
Comment 6 Rick Farina (Zero_Chaos) gentoo-dev 2014-06-29 02:46:55 UTC
This really looks like the kind of patch that should be going upstream.  Would the author of said patch have any interest in that?
Comment 7 Coacher 2014-06-29 14:12:54 UTC
(In reply to Rick Farina (Zero_Chaos) from comment #6)
> This really looks like the kind of patch that should be going upstream. 
> Would the author of said patch have any interest in that?

Upstream most probably will have no interest in that. They released rkhunter-1.4.2 since the initial report on this issue and 1.4.2 works OK with recent unhide (they even mentioned it specifically in Changelog for 1.4.2). But Gentoo keeps 1.4.0 ebuild as well, so it is mostly Gentoo problem now.
Comment 8 Coacher 2014-06-29 15:53:18 UTC
Created attachment 379928 [details]
rkhunter-1.4.0.unhide.patch

Add another revision of the patch. Now it backports the corresponding change from rkhunter-1.4.2 rather than being my own fix. Also name it properly.
Comment 9 Rick Farina (Zero_Chaos) gentoo-dev 2014-06-29 17:38:48 UTC
Yeah I'm thinking about a better way of handling it, I removed the outdated version, please use the new one :-)