Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308557

Summary: app-forensics/chkrootkit-0.48-r1 does not transverse /lib or /usr/lib correctly due to symlinks
Product: Gentoo Linux Reporter: Adam Randall <randalla>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: RESOLVED TEST-REQUEST    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Adam Randall 2010-03-09 00:33:09 UTC
app-forensics/chkrootkit-0.48-r1 has issues with 64-bit systems when using find internally. The simple reason is that find is being passed the paths to /lib and /usr/lib and ignores them because they are sym-links. The solution is to either pass the paths with a trailing /, or add -L to the find command itself so that it will transverse sym-links everywhere (possibly dangerous).

Reproducible: Always

Steps to Reproduce:
1. Run chkrootkit
2. Examine the output of "Searching for suspicious files and dirs, it may take a while..."
3. On 32-bit systems you will get a list of empty files, on 64-bit systems you will get none.

Actual Results:  
On 64-bit systems (in my case no-multilib profile) nothing is returned in in the suspicious files test. This is just testing for files in the path that begin with periods.

Expected Results:  
A list of files with leading periods.

The command that is being executed by chkrootkit is:

/usr/bin/find /usr/lib /lib -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'

It should be either of the following instead:

/usr/bin/find /usr/lib/ /lib/ -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'
-- OR --
/usr/bin/find -L /usr/lib /lib -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'

The latter will transverse more files inside of the specified files (potentially finding hundreds more files with leading periods). It also could get caught in loops if one existed.

There may be other instances of this happening in chkrootkit that I'm not aware of. This is just one example that I have found.
Comment 1 Pacho Ramos gentoo-dev 2017-08-30 18:25:50 UTC
Please retry with 0.51 version