Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 113588

Summary: chkrootkit reports ps, netstat infected if CFLAGS includes -g
Product: Gentoo Linux Reporter: Mark Purtill <gentoo>
Component: Current packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED UPSTREAM    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Here's the complete output of chkrootkit -q showing ps and netstat INFECTED

Description Mark Purtill 2005-11-25 14:05:06 UTC 
chkrootkit reports ps and netstat are INFECTED if their respective packages
(sys-process/procps-3.2.5-r1 and sys-apps/net-tools-1.60-r11) are emerged with
CFLAGS="-O2 -g".  It doesn't report anything else interesting.  If I change
CFLAGS to "" or "-O2" and re-emerge those packages, then they are reported as
not infected (so I assume the INFECTED indication is a false positive).

Here is the output of emerge info:

Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2,
2.6.13-gentoo-r3 i686)
=================================================================
System uname: 2.6.13-gentoo-r3 i686 AMD Athlon(tm) XP 1900+
Gentoo Base System version 1.6.13
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-g -O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.1/share/config
/usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config
/usr/kde/3.3/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb
/usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-g -O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks fixpackages nostrip sandbox sfperms strict userpriv"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://gentoo.ccccom.com
ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://mirror.datapipe.net/gentoo
http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.ccccom.com"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LINGUAS="en ja"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="x86 3dnow X Xaw3d aalib acl alsa apm arts audiofile avi berkdb bindist
bitmap-fonts bzip2 canna cdr cjk crypt cups curl debug doc dvd eds emboss encode
esd exif expat fam flac foomaticdb fortran freetype freewnn gd gdbm gif glut gmp
gnome gpm gstreamer gtk gtk2 guile idn imagemagick imlib ipv6 java joystick jpeg
junit kde kdexdeltas lcms libg++ libwww mad maildir mbox mikmod mng mozilla
mozsvg mp3 mpeg mule ncurses nls noantlr nobcel nobeanutils nobsh
nocommonslogging nocommonsnet nodrm nojdepend nojsch nojython nolog4j nooro
noregexp norhino noxalan noxerces ogg oggvorbis openal opengl oss pam pcre
pdflib perl pic png python qt quicktime readline ruby scanner sdl slang speex
spell sse ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts
udev unicode usb vorbis wmf xine xinerama xml xml2 xmms xv xvid zlib
video_cards_matrox linguas_en linguas_ja userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS
Comment 1 Mark Purtill 2005-11-25 14:09:43 UTC 
Created attachment 73613 [details]
Here's the complete output of chkrootkit -q showing ps and netstat INFECTED

I get essentially the same output (different process numbers), except with ps
and netstat not showing as infected, when I re-emerge the affected packages
with CFLAGS not containing -g.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2005-11-25 14:12:51 UTC 
Hmmm... This needs to be fixed upstream. See http://www.chkrootkit.org/ - 
Contacting the Authors at the bottom of the page.