Bug 32175

Summary: rkhunter reports /usr/include/file.h as rootkit
Product: Mageia Reporter: Ken Arromdee <arromdee2>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal    
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO ?
Source RPM: rkhunter-1.4.6-3.mga8.src.rpm CVE:
Status comment:

Description Ken Arromdee 2023-08-16 00:37:53 CEST 
Description of problem:
rkhunter reports /usr/include/file.h as rootkit

Version-Release number of selected component (if applicable):
Mageia 8.0

How reproducible:
Always

Steps to Reproduce:
1. Install lib64magic-devel
2. Run rkhunter and look at log file
3. It reports /usr/include/file.h under SHV4 and SHV5 rootkits even though this file is provided by a Mageia package
Comment 1 Lewis Smith 2023-08-18 20:52:49 CEST 
Thank you for the report.
To be clear about one thing, the file in question seems to only be provided by the lib-devel mentioned:
 $ urpmf /usr/include/file.h
 lib64magic-devel:/usr/include/file.h
 $
and that lib-devel is required by:
 $ urpmq --whatrequires lib64magic-devel
lib64createrepo_c-devel
lib64magic-devel
lib64magic-static-devel
lib64modulemd-devel
lib64radare2-devel
lib64rizin-devel
lib64rpm-devel
lib64sox-devel
ocaml-magic

 ocaml-magic
Summary     : OCaml bindings for the File type determination library

 rkhunter
Summary     : Rootkit scans for rootkits, backdoors and local exploits
Description :
Rootkit scanner is scanning tool to ensure you you're clean of known nasty
tools. This tool scans for rootkits, backdoors and local exploits

Perhaps this aspect is the catch:
 - Look for default files used by rootkits

This package has no fixed maintainer, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs
Whiteboard: (none) => MGA9TOO ?