[Forensics-changes] [rkhunter] 03/03: Pull in upstream commit to fix false positives (closes: #816170)
Francois Marier
francois at moszumanska.debian.org
Mon Jul 4 00:31:40 UTC 2016
This is an automated email from the git hooks/post-receive script.
francois pushed a commit to branch master
in repository rkhunter.
commit 5c7618d8aaf3026eb22925f5764b2ee6a3ba8d98
Author: Francois Marier <francois at debian.org>
Date: Sun Jul 3 17:23:53 2016 -0700
Pull in upstream commit to fix false positives (closes: #816170)
---
debian/changelog | 3 +-
.../patches/40_false-positive-deleted-files.diff | 57 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 22b01fe..8403a90 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,11 @@
rkhunter (1.4.2-6) unstable; urgency=medium
* Fix logcheck rule ("1 seconds")
+ * Pull in upstream commit to fix false positives (closes: #816170)
* Move VCS URLs to HTTPS
* Bump Standards-Version to 3.9.8
- -- Francois Marier <francois at debian.org> Thu, 21 Jan 2016 09:37:37 -0800
+ -- Francois Marier <francois at debian.org> Sun, 03 Jul 2016 17:29:26 -0700
rkhunter (1.4.2-5) unstable; urgency=medium
diff --git a/debian/patches/40_false-positive-deleted-files.diff b/debian/patches/40_false-positive-deleted-files.diff
new file mode 100644
index 0000000..fe64b9f
--- /dev/null
+++ b/debian/patches/40_false-positive-deleted-files.diff
@@ -0,0 +1,57 @@
+Author: Klaus Ethgen <Klaus at Ethgen.de>
+Forwarded: not needed
+Last-Update: 2016-04-26
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816170
+
+--- a/files/rkhunter
++++ b/files/rkhunter
+@@ -13378,6 +13378,17 @@ malware_checks() {
+ PROCWHITELISTED=0
+ PROCDELFILES_GIVEN=0
+
++ #
++ # For this test we do not want to use globbing because it may match with
++ # files that actually exist. This could then lead to a false-positive for
++ # what should have been a whitelisted pathname. Instead we disable globbing,
++ # and then change the glob characters to regular expression ones. We also
++ # escape typical grep regex characters (e.g. '.'). The resulting regular
++ # expression is then matched against the deleted file pathname.
++ #
++
++ set -f
++
+ for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
+ RKHTMPVAR2=`echo "${RKHTMPVAR}" | awk -F ':/' '{ print $1 }'`
+
+@@ -13387,15 +13398,16 @@ malware_checks() {
+ if [ $PROCDELFILES_GIVEN -eq 1 ]; then
+ RKHTMPVAR3=`echo "${RKHTMPVAR}" | awk -F ':/' '{ for (i = 2; i <= NF; i++) { a[i] = $i } } END { for (i in a) { print "/" a[i] } }'`
+
+- # Now expand the deleted file pathnames.
+- RKHTMPVAR3=`expand_paths RKHTMPVAR3`
++ FNAMEGREP=""
+
+- # We must reset the IFS because 'expand_paths' sets it to the default.
+- IFS=$IFSNL
++ for FN in ${RKHTMPVAR3}; do
++ FNGREP=`echo "${FN}" | sed -e 's/\([.$]\)/\\\\\1/g; s/\([^\\]\)\*/\1.*/g; s/\([^\\]\)?/\1./g;'`
++ FNAMEGREP="${FNAMEGREP}|${FNGREP}"
++ done
+
+- FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
++ FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's/^|//;'`
+
+- if [ -n "`echo \"${FNAME}\" | grep \"^${FNAMEGREP}$\"`" ]; then
++ if [ -n "`echo \"${FNAME}\" | egrep \"^(${FNAMEGREP})$\"`" ]; then
+ PROCWHITELISTED=1
+ fi
+ else
+@@ -13406,6 +13418,8 @@ malware_checks() {
+ fi
+ done
+
++ set +f
++
+
+ test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""
+
diff --git a/debian/patches/series b/debian/patches/series
index dfc7957..2119f78 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
15_remove-empty-dir.diff
20_fix-ipcs-language.diff
30_fix-lang-update-grep.diff
+40_false-positive-deleted-files.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/rkhunter.git
More information about the forensics-changes
mailing list