rkhunter 1.3.8 false positive for gaskit rootkit due to existance of /dev/dev/ ls -al /dev/dev/ total 0 drwxr-xr-x 2 root root 60 Mar 9 15:21 ./ drwxr-xr-x 20 root root 4080 Mar 9 19:23 ../ lrwxrwxrwx 1 root root 10 Mar 9 15:21 resume -> ../../sda1
rkhunter --update rkunter --propudp rkunter -c
CC: (none) => remcoComponent: Security => RPM PackagesAssignee: bugsquad => remcoQA Contact: security => (none)
Summary: rkhunter false positve for gaskit => rkhunter false positive for gaskit
Hi Galen, thank you for your report. I believe this problem has been fixed in rkhunter-1.3.8-3.1.mga2. @qa: To test this, issue the following three commands: rkhunter --update rkhunter --propupd rkhunter -c With the version of rkhunter in release, the third command will show that the gaskit rootkit was possibly found. With the updated version in updates_testing, this should no longer be the case. Advisory text: ============== Updated rkhunter package eliminates false positive on gaskit rootkit Using rkhunter on a Mageia 2 system, the gaskit rootkit was erroneously detected as it triggered on the presence of the directory /dev/dev which is commonly available on Mageia systems. This updated package eliminates this false positive. References: https://bugs.mageia.org/show_bug.cgi?id=9313 SRPMS: ====== rkhunter-1.3.8-3.1.mga2.src.rpm RPMS: ===== rkhunter-1.3.8-3.1.mga2
Assignee: remco => qa-bugs
Blocks: (none) => 9398
Whiteboard: (none) => MGA3TOO
You have this down for testing in MGA3 There is no /dev/dev in either my 32 or 64 mga3?
CC: (none) => martynvidler
Hi martyn, I'm not sure exactly which package creates this directory. But if you have ever put your machine to hibernate / sleep, I expect this directory to be created. If you don't have it on your machine, perhaps you are not the best test subject for this bug report ;-) I do have this directory on both my Mageia 2 and Cauldron system.
As this is the bug with the advisory, I'll make the others depend on this one, and assign the others back to you. Only one bug should be assigned to QA for this update.
Blocks: (none) => 8172
Version: 2 => 3Whiteboard: MGA3TOO => MGA2TOO
As this bug had MGA3TOO, I'm assuming this is being in the Mageia 3 update as well. rkhunter-1.4.0-3.1.mga3 should be included in the package list.
Thanks luigi! Updated advisory text to cover all 3 problem reports: Advisory text: ============== Updated rkhunter package addresses various issues Using rkhunter on a Mageia 2 or 3 system, the gaskit rootkit was erroneously detected as it triggered on the presence of the directory /dev/dev which is commonly available on Mageia systems. Furthermore, the whitelisting of a file which no longer is present on Mageia 3 systems would prevent rkhunter from starting properly. Other files which should have been whitelisted were missing, resulting in warnings appearing. This update addresses these issues. rkhunter users are advised to install the updated package. References: https://bugs.mageia.org/show_bug.cgi?id=9313 https://bugs.mageia.org/show_bug.cgi?id=9398 https://bugs.mageia.org/show_bug.cgi?id=8172 SRPMS: ====== rkhunter-1.3.8-3.1.mga2.src.rpm rkhunter-1.4.0-3.1.mga3.src.rpm RPMS: ===== rkhunter-1.3.8-3.1.mga2 rkhunter-1.4.0-3.1.mga3
Confirmed that the update fixes all three bugs on x86_64, Mageia 3 I executed rkhunter -c and /etc/cron.daily/rkhunter each time, rkhunter ran and did not report any warnings.
Testing complete on Mageia 3 i586. Bug 9313: Did not see any false positive, but with the package in core/release, "rkhunter -c" would just should the error of bug 9398. With the update candidate, the check is performed. Bug 9398: Could reproduce, and the update fixes it. Bug 8172: Could not reproduce with rkhunter-1.4.0-3.mga3 from core/release, so I suppose it was fixed between mga3 alpha3 and the release. If yes it should be removed from the advisory. -- @James Kerr: Thanks for testing on x86_64, I added MGA3-64-OK to the whiteboard for you.
CC: (none) => remiWhiteboard: MGA2TOO => MGA2TOO MGA3-32-OK MGA3-64-OK
Re bug 8172. /etc/cron.daily/rkhunter was reporting that warning before the update. See my comment on that bug.
Testing complete on Mageia 2 x86_64 for bug #9313
Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK => MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-64-OK
Advisory added to svn
Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-64-OK => MGA2TOO has_procedure MGA3-32-OK MGA3-64-OK MGA2-64-OK
Created attachment 4167 [details] rkhunter.log file Testing complete for rkhunter-1.4.0-3.1.mga3 on Mageia release 3 (Official) for x86_64, for me it's Ok no false positive on check. rkhunter --update rkhunter --propupd rkhunter -c
CC: (none) => geiger.david68210
Testing complete on Mageia 2 i586. Validating update. Please commit the advisory (comment 7) and push the update.
Keywords: (none) => validated_updateCC: remi => sysadmin-bugsWhiteboard: MGA2TOO has_procedure MGA3-32-OK MGA3-64-OK MGA2-64-OK => MGA2TOO has_procedure MGA3-32-OK MGA3-64-OK MGA2-32-OK MGA2-64-OK
http://advisories.mageia.org/MGAA-2013-0036.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)