[Bug 1808882] Re: false positive on tcpd

Launchpad Bug Tracker 1808882 at bugs.launchpad.net
Thu Mar 7 10:34:27 UTC 2019 

This bug was fixed in the package chkrootkit - 0.52-1ubuntu0.1

---------------
chkrootkit (0.52-1ubuntu0.1) bionic; urgency=medium

  * d/patches/24_fix_chktcpd.patch: Apply patch to fix tcpd false-positive
    detections. (LP: #1808882)
    Thanks to Francois Marier for the patch.

 -- Thomas Ward <teward at ubuntu.com>  Tue, 29 Jan 2019 16:35:21 -0500

** Changed in: chkrootkit (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1808882

Title:
  false positive on tcpd

Status in chkrootkit package in Ubuntu:
  Fix Released
Status in chkrootkit source package in Bionic:
  Fix Released
Status in chkrootkit source package in Cosmic:
  Fix Released
Status in chkrootkit source package in Disco:
  Fix Released
Status in chkrootkit package in Debian:
  Fix Released

Bug description:
  [Impact]

  chkrootkit will return false positives for tcpd detections as
  "infected" when tcpd is not present on a system.

  [Test Case]

   * Install chkrootkit, run chkrootkit checks.
   
   * Without the patch, chkrootkit should return "INFECTED" in its detections for tcpd.

   * With the debdiff, it should say "not present" or "not infected".

  [Regression Potential]

   * Regression risk is limited.  The only change with this patch and
  debdiff is that we reinitialize the CMD variable in the test to
  "empty" before utilizing CMD, which clears the bug if "/bin/tar" from
  the previous test being still used in the script for testing tcpd.  No
  other chkrootkit bits are, based on my testing, affected by this
  change.

  [Other Info]
   
   * Patch was provided by Francois Mariner from Debian

  [Original Description]

  This has apparently been a thing since at least 16.04

  Install a clean version of Ubuntu, install chkrootkit, run a check.

  tcpd will report as infected.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: chkrootkit 0.52-1
  ProcVersionSignature: Ubuntu 4.15.0-42.45-lowlatency 4.15.18
  Uname: Linux 4.15.0-42-lowlatency x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: MATE
  Date: Mon Dec 17 18:30:29 2018
  InstallationDate: Installed on 2018-12-05 (12 days ago)
  InstallationMedia: Ubuntu-MATE 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
  SourcePackage: chkrootkit
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1808882/+subscriptions

More information about the Ubuntu-sponsors mailing list