Package: chkrootkit Version: 0.47-1.1 Severity: critical Justification: breaks unrelated software
In testing for the Enye LKM, chkrootkit sends signal 58 to PID 12345. This has a chance of hitting any one process of 1/32767. On the system I am typing this on in its current state, I have 350 processes running, and it is not currently busy, so that's 1/100 chance of hitting a process by random. If the system is up for a while, and I run chkrootkit in a daily cronjob, I can expect a random process to be sent signal 58 once every 100 days or so. The other day, it killed gnuplot_x11, which I only noticed once I read my mail saying chkrootkit had "Enye LKM found". It certainly explained why a script of mine got confused, and I could tell it had killed gnuplot_x11 because it was still in a zombie state, having not yet been reaped by gnuplot, and it was running as pid 12345. There are reports on the net of it killing other processes. That signal number is not documented in 'man 7 signal', so I guess it's not likely anything would install a signal handler than could deal with 58. Presumably chkrootkit is hoping that signal would be rejected by the kernel as invalid, but that assumption is invalid today: $ sleep 1000 & [1] 19277 $ kill -58 19277 [1]+ Real-time signal 24 sleep 1000 $ Incidentally, the documentation of the tests in chkproc.c needs a lot of work: 'man 2 kill' doesn't describe kill as ever being able to return a positive error value, but of course it must, because I got the "Enye LKM found" message. It took me a while to work out that that code was trying to do anything other than detect for the presence of pid 12345. Perhaps the signals it is sending could be better documented, as to the test for the error return value, and indeed the prevous test for the Adobe LKM, using an errno magic number instead of symbolic name. And why it sends signal 100 to init first without testing the result. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23 (SMP w/2 CPU cores) Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages chkrootkit depends on: ii binutils 2.18.1~cvs20071027-2 The GNU assembler, linker and bina ii debconf [debconf-2. 1.5.17 Debian configuration management sy ii libc6 2.7-5 GNU C Library: Shared libraries ii net-tools 1.60-19 The NET-3 networking toolkit ii procps 1:3.2.7-5 /proc file system utilities chkrootkit recommends no packages. -- debconf information: chkrootkit/run_daily: false chkrootkit/run_daily_opts: -q chkrootkit/diff_mode: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
