[Forensics-changes] [rkhunter] 03/05: Drop patches applied upstream and fix another
Francois Marier
francois at moszumanska.debian.org
Sun Jul 2 04:35:20 UTC 2017
This is an automated email from the git hooks/post-receive script.
francois pushed a commit to branch master
in repository rkhunter.
commit c993d2f386ae098c5ac4eb44bd6814e73e6069cf
Author: Francois Marier <francois at debian.org>
Date: Sat Jul 1 20:43:22 2017 -0700
Drop patches applied upstream and fix another
---
debian/changelog | 7 +-
debian/patches/05_custom_conffile.diff | 81 +++++-----------------
debian/patches/20_fix-ipcs-language.diff | 18 -----
.../patches/40_false-positive-deleted-files.diff | 57 ---------------
debian/patches/series | 2 -
5 files changed, 22 insertions(+), 143 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 524402d..6339a14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,11 @@
rkhunter (1.4.4-1) unstable; urgency=high
- * New upstream release (closes: #815693, #866677)
+ * New upstream release (closes: #815693)
+ - fix for CVE-2017-7480 (closes: #866677)
+ - drop 20_fix-ipcs-language and 40_false-positive-deleted-files
+ (applied upstream)
+ - update 05_custom_conffile
+ * Bump Standards-Version to 4.0.0
-- Francois Marier <francois at debian.org> Sat, 01 Jul 2017 20:37:36 -0700
diff --git a/debian/patches/05_custom_conffile.diff b/debian/patches/05_custom_conffile.diff
index 9d28e1e..d5fca98 100644
--- a/debian/patches/05_custom_conffile.diff
+++ b/debian/patches/05_custom_conffile.diff
@@ -1,11 +1,11 @@
Description: Custom configuration options for Debian package
Author: Francois Marier <francois at debian.org>
Forwarded: not-needed
-Last-Update: 2015-04-26
+Last-Update: 2017-07-01
--- a/files/rkhunter.conf
+++ b/files/rkhunter.conf
-@@ -130,7 +130,7 @@
+@@ -133,7 +133,7 @@
#
# Also see the MAIL_CMD option.
#
@@ -14,7 +14,7 @@ Last-Update: 2015-04-26
#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
-@@ -154,7 +154,7 @@
+@@ -157,7 +157,7 @@
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
@@ -23,7 +23,7 @@ Last-Update: 2015-04-26
#
# This option specifies the database directory to use.
-@@ -163,7 +163,7 @@
+@@ -166,7 +166,7 @@
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
@@ -32,7 +32,7 @@ Last-Update: 2015-04-26
#
# This option specifies the script directory to use.
-@@ -171,7 +171,7 @@
+@@ -174,7 +174,7 @@
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will not run.
#
@@ -41,13 +41,7 @@ Last-Update: 2015-04-26
#
# This option can be used to modify the command directory list used by rkhunter
-@@ -259,12 +259,12 @@ LOGFILE=/var/log/rkhunter.log
- #
- # USE_SYSLOG=authpriv.warning
- #
--# Setting the value to 'NONE', or just leaving the option commented out,
-+# Setting the value to 'none', or just leaving the option commented out,
- # disables the use of syslog.
+@@ -267,7 +267,7 @@ LOGFILE=/var/log/rkhunter.log
#
# The default value is not to use syslog.
#
@@ -56,45 +50,7 @@ Last-Update: 2015-04-26
#
# Set the following option to '1' if the second colour set is to be used. This
-@@ -330,8 +330,8 @@ AUTO_X_DETECT=1
-
- #
- # These two options determine which tests are to be performed. The ENABLE_TESTS
--# option can use the word 'ALL' to refer to all of the available tests. The
--# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
-+# option can use the word 'all' to refer to all of the available tests. The
-+# DISABLE_TESTS option can use the word 'none' to mean that no tests are
- # disabled. The list of disabled tests is applied to the list of enabled tests.
- #
- # Both options are space-separated lists of test names, and both options may
-@@ -349,8 +349,15 @@ AUTO_X_DETECT=1
- # either of the options below are specified, then they will override the
- # program defaults.
- #
--ENABLE_TESTS=ALL
--DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
-+# hidden_procs test requires the unhide and/or unhide.rb commands which are
-+# part of the unhide respectively unhide.rb packages in Debian.
-+#
-+# apps test is disabled by default as it triggers warnings about outdated
-+# applications (and warns about possible security risk: we better trust
-+# the Debian Security Team).
-+#
-+ENABLE_TESTS=all
-+DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
-
- #
- # The HASH_CMD option can be used to specify the command to use for the file
-@@ -381,7 +388,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
- #
- # Also see the HASH_FLD_IDX option.
- #
--#HASH_CMD=sha1sum
-+HASH_CMD=sha256sum
-
- #
- # The HASH_FLD_IDX option specifies which field from the HASH_CMD command
-@@ -421,6 +428,9 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -433,6 +433,9 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
#
@@ -104,7 +60,7 @@ Last-Update: 2015-04-26
#PKGMGR=NONE
#
-@@ -574,7 +584,14 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -586,7 +589,14 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# The default value is the null string.
#
@@ -120,7 +76,7 @@ Last-Update: 2015-04-26
#
# Allow the specified file to have the immutable attribute set.
-@@ -602,9 +619,8 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -614,9 +624,8 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# The default value is the null string.
#
#ALLOWHIDDENDIR=/etc/.java
@@ -132,7 +88,7 @@ Last-Update: 2015-04-26
#
# Allow the specified hidden file to be whitelisted.
-@@ -620,6 +636,11 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -632,6 +641,11 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
@@ -144,7 +100,7 @@ Last-Update: 2015-04-26
#
# Allow the specified process to use deleted files. The process name may be
-@@ -634,7 +655,10 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -654,7 +668,10 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# The default value is the null string.
#
#ALLOWPROCDELFILE=/sbin/cardmgr
@@ -155,7 +111,7 @@ Last-Update: 2015-04-26
#
# Allow the specified process to listen on any network interface.
-@@ -761,7 +785,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -791,7 +808,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# This option has no default value.
#
@@ -164,7 +120,7 @@ Last-Update: 2015-04-26
#
# This option tells rkhunter the pathname to the file containing the user
-@@ -786,7 +810,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -816,7 +833,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# The default value is the null string.
#
@@ -173,7 +129,7 @@ Last-Update: 2015-04-26
#
# This option allows the specified accounts to have no password. NIS/YP entries
-@@ -941,7 +965,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
+@@ -972,7 +989,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
#
@@ -182,14 +138,9 @@ Last-Update: 2015-04-26
#
# Set the following option to '0' if you do not want to receive a warning if any
-@@ -1178,7 +1202,9 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
- #
+@@ -1274,3 +1291,5 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# The default value is '0'.
#
--#DISABLE_UNHIDE=0
-+DISABLE_UNHIDE=1
+ #GLOBSTAR=0
+
+INSTALLDIR=/usr
-
- #
- # This option can be set to either '0' or '1'. If set to '1' then the summary,
diff --git a/debian/patches/20_fix-ipcs-language.diff b/debian/patches/20_fix-ipcs-language.diff
deleted file mode 100644
index 2bc9dd5..0000000
--- a/debian/patches/20_fix-ipcs-language.diff
+++ /dev/null
@@ -1,18 +0,0 @@
-Description: Force english locale for ipcs call
-Author: Francois Marier <francois at debian.org>
-Forwarded: https://sourceforge.net/p/rkhunter/patches/42/
-Last-Update: 2014-11-07
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767731
-Bug: https://sourceforge.net/p/rkhunter/bugs/130/
-
---- a/files/rkhunter
-+++ b/files/rkhunter
-@@ -13964,7 +13964,7 @@ ${FOUND_PROCS}"
- touch "${IPCS_TMPFILE}"
- FOUND=0; echo $FOUND > "${IPCS_TMPFILE}"
-
-- if [ `${IPCS_CMD} -u 2>/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then
-+ if [ `LANG=C ${IPCS_CMD} -u 2>/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then
- ${IPCS_CMD} -m | grep "^0x" | while read RKH_SHM_KEY RKH_SHM_SHMID RKH_SHM_OWNER RKH_SHM_PERMS RKH_SHM_BYTES RKH_SHM_NATTACH RKH_SHM_STATUS; do
- if [ $RKH_SHM_PERMS -eq 666 -a $RKH_SHM_BYTES -ge 1000000 ]; then
- FOUND=1; echo $FOUND > "${IPCS_TMPFILE}"
diff --git a/debian/patches/40_false-positive-deleted-files.diff b/debian/patches/40_false-positive-deleted-files.diff
deleted file mode 100644
index fe64b9f..0000000
--- a/debian/patches/40_false-positive-deleted-files.diff
+++ /dev/null
@@ -1,57 +0,0 @@
-Author: Klaus Ethgen <Klaus at Ethgen.de>
-Forwarded: not needed
-Last-Update: 2016-04-26
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816170
-
---- a/files/rkhunter
-+++ b/files/rkhunter
-@@ -13378,6 +13378,17 @@ malware_checks() {
- PROCWHITELISTED=0
- PROCDELFILES_GIVEN=0
-
-+ #
-+ # For this test we do not want to use globbing because it may match with
-+ # files that actually exist. This could then lead to a false-positive for
-+ # what should have been a whitelisted pathname. Instead we disable globbing,
-+ # and then change the glob characters to regular expression ones. We also
-+ # escape typical grep regex characters (e.g. '.'). The resulting regular
-+ # expression is then matched against the deleted file pathname.
-+ #
-+
-+ set -f
-+
- for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
- RKHTMPVAR2=`echo "${RKHTMPVAR}" | awk -F ':/' '{ print $1 }'`
-
-@@ -13387,15 +13398,16 @@ malware_checks() {
- if [ $PROCDELFILES_GIVEN -eq 1 ]; then
- RKHTMPVAR3=`echo "${RKHTMPVAR}" | awk -F ':/' '{ for (i = 2; i <= NF; i++) { a[i] = $i } } END { for (i in a) { print "/" a[i] } }'`
-
-- # Now expand the deleted file pathnames.
-- RKHTMPVAR3=`expand_paths RKHTMPVAR3`
-+ FNAMEGREP=""
-
-- # We must reset the IFS because 'expand_paths' sets it to the default.
-- IFS=$IFSNL
-+ for FN in ${RKHTMPVAR3}; do
-+ FNGREP=`echo "${FN}" | sed -e 's/\([.$]\)/\\\\\1/g; s/\([^\\]\)\*/\1.*/g; s/\([^\\]\)?/\1./g;'`
-+ FNAMEGREP="${FNAMEGREP}|${FNGREP}"
-+ done
-
-- FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
-+ FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's/^|//;'`
-
-- if [ -n "`echo \"${FNAME}\" | grep \"^${FNAMEGREP}$\"`" ]; then
-+ if [ -n "`echo \"${FNAME}\" | egrep \"^(${FNAMEGREP})$\"`" ]; then
- PROCWHITELISTED=1
- fi
- else
-@@ -13406,6 +13418,8 @@ malware_checks() {
- fi
- done
-
-+ set +f
-+
-
- test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""
-
diff --git a/debian/patches/series b/debian/patches/series
index 2119f78..e01846f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,4 @@
05_custom_conffile.diff
10_fix-man.diff
15_remove-empty-dir.diff
-20_fix-ipcs-language.diff
30_fix-lang-update-grep.diff
-40_false-positive-deleted-files.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/rkhunter.git
More information about the forensics-changes
mailing list