Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 471288

Summary: =app-forensics/rkhunter-1.4.0 with >=app-forensics/unhide-20120905 - rkhunter scrapes unhide output incorrectly
Product: Gentoo Linux Reporter: Coacher <itumaykin+gentoo>
Component: Current packagesAssignee: Forensics Herd [disbanded] <forensics+obsolete>
Status: RESOLVED OBSOLETE    
Severity: normal CC: redwolfe, zerochaos
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: rkhunter-unhide.patch
rkhunter-1.4.0.unhide.patch

Description Coacher 2013-05-26 02:13:27 UTC 
rkhunter can use unhide for hidden_procs testsuite. However, there is a problem with recent unhide versions (>=20120905). It is that unhide prints some program/copyright/license info on each invocation. This message cannot be supressed by any unhide option. However, rkhunter knows about this and filters unhide output. rkhunter aware of the message text in old versions, but in newer versions of unhide this message changed and therefore rkhunter detects false positives when running hidden_procs test.

Suggested rkhunter patch attached below.

Reproducible: Always
Comment 1 Coacher 2013-05-26 02:17:25 UTC 
Created attachment 349188 [details, diff]
rkhunter-unhide.patch

This patch expands rkunter filtering of unhide output allowing it to work properly with newer versions. Also I've dropped "yjesus@"-strings filtering as this output is never printed by any version of unhide in portage. The only occurence of "yjesus@"-string is in man of unhide-20110113 and therefore this filter can be painlessly omitted.
Comment 2 Coacher 2013-05-31 15:53:59 UTC 
Suggested patch also properly handles unhide-20130526.
Comment 3 G.Wolfe Woodbury 2014-03-08 21:52:02 UTC 
I can confirm this error.

The proposed patch will work (very similar to my own fix)

If you apply the patch locally, you will need to run the command:

   # rkhunter --propupd rkhunter

to prevent rkhunter from reporting itself as suspicious.
Additionally, some recent Gentoo updates have altered some of the commands that rkhunter checks.  Repeat the (appropriately altered) command above to reset rkhunter's database.
Comment 4 G.Wolfe Woodbury 2014-03-08 21:54:09 UTC 
There is a new upstream release (1.4.2) that adds some significant features.

rkhunter should be updated to 1.4.2
Comment 5 Coacher 2014-03-08 22:24:26 UTC 
(In reply to G.Wolfe Woodbury from comment #4)
> There is a new upstream release (1.4.2) that adds some significant features.
> 
> rkhunter should be updated to 1.4.2

You really should open a separate bug for this.
Comment 6 Rick Farina (Zero_Chaos) gentoo-dev 2014-06-29 02:46:55 UTC 
This really looks like the kind of patch that should be going upstream.  Would the author of said patch have any interest in that?
Comment 7 Coacher 2014-06-29 14:12:54 UTC 
(In reply to Rick Farina (Zero_Chaos) from comment #6)
> This really looks like the kind of patch that should be going upstream. 
> Would the author of said patch have any interest in that?

Upstream most probably will have no interest in that. They released rkhunter-1.4.2 since the initial report on this issue and 1.4.2 works OK with recent unhide (they even mentioned it specifically in Changelog for 1.4.2). But Gentoo keeps 1.4.0 ebuild as well, so it is mostly Gentoo problem now.
Comment 8 Coacher 2014-06-29 15:53:18 UTC 
Created attachment 379928 [details]
rkhunter-1.4.0.unhide.patch

Add another revision of the patch. Now it backports the corresponding change from rkhunter-1.4.2 rather than being my own fix. Also name it properly.
Comment 9 Rick Farina (Zero_Chaos) gentoo-dev 2014-06-29 17:38:48 UTC 
Yeah I'm thinking about a better way of handling it, I removed the outdated version, please use the new one :-)