Bug 308557

app-forensics/chkrootkit-0.48-r1 has issues with 64-bit systems when using find internally. The simple reason is that find is being passed the paths to /lib and /usr/lib and ignores them because they are sym-links. The solution is to either pass the paths with a trailing /, or add -L to the find command itself so that it will transverse sym-links everywhere (possibly dangerous).

Reproducible: Always

Steps to Reproduce:
1. Run chkrootkit
2. Examine the output of "Searching for suspicious files and dirs, it may take a while..."
3. On 32-bit systems you will get a list of empty files, on 64-bit systems you will get none.

Actual Results:  
On 64-bit systems (in my case no-multilib profile) nothing is returned in in the suspicious files test. This is just testing for files in the path that begin with periods.

Expected Results:  
A list of files with leading periods.

The command that is being executed by chkrootkit is:

/usr/bin/find /usr/lib /lib -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'

It should be either of the following instead:

/usr/bin/find /usr/lib/ /lib/ -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'
-- OR --
/usr/bin/find -L /usr/lib /lib -name '.[A-Za-z]*' -o -name '...*' -o -name '.. *'

The latter will transverse more files inside of the specified files (potentially finding hundreds more files with leading periods). It also could get caught in loops if one existed.

There may be other instances of this happening in chkrootkit that I'm not aware of. This is just one example that I have found.