Re: ckrootkit - issues with patch number 27 (was Re: Offering to help - chkrootkit and rkhunter)
Hello Richard,
the patch you mention was modified by the same author that send
patches [28...51] to me.
I also believed that a better review was needed so i forwarded all of
them to original author.
Upstream was agree to do a deeper review of all patches in the package
and include them (or not) in the next release.
Greetings,
Marcos
El dom, 03-10-2021 a las 01:18 +0100, RL escribió:
> Marcos Fouces <marcos@debian.org> writes:
>
> > Hello Richard,
> >
> > i merged your requests for chkrootkit.
> >
> > IMHO, the best way to start contributing is exactly what you did!
> > (Merge requests)
>
> Thanks, this is good news :).
>
> I started looking at the code and bugs, but got side-tracked: It
> seems
> to me that patch 27 (from july 2020) in debian/patches is
> problematic. I
> was not able to understand most of what patch 27 is trying to do, but
> it
> seems to me that:
>
> 1. Patch 27 is re-introducing an "interesting feature" where chkproc
> (a C programme run by chkrootkit) sends kill signals to pid 1
> and 12345 see if they might be rootkits (!). These are in the
> upsteam code, but in 2008 debian's patch #5 commented out that code
> to
> fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828
>
> Patch 27 has apparently reversed this fix and the debian version of
> chkproc.c (after all debian's patching) includes the kill signals
> again. (i think they occur less often than before, so maybe the new
> bug is less 'critical')
>
> 2. Patch 27 is also the sole cause of the "OooPS" messages reported
> in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982998
>
> These come from MAX_PROCESSES in chkproc.c being too low. upstream
> has
> set MAX_PROCESSES to > 4 million since 2014, but patch 27
> apparently
> reset it back to 99999.
>
> I think someone more knowledgable in C than me should look at this
> patch
> and see whether it is valid or not.
>
Reply to: