Bug#705946: chkrootkit: Check for suspect PHP files is broken by design

Mon, 22 Apr 2013 08:33:15 -0700 

Package: chkrootkit
Version: 0.49-4
Severity: important
Tags: patch

Hi,

the check for suspect PHP files is broken by design.

1. Any non-text file contents confuse the results of the grep if they match.

2. Not file names are printed, but file contents. That can't be what the check 
is supposed to achieve.

This patch fixes '/usr/bin/find: head terminated by signal 13' errors and 
prints affected file names instead of their content.

Debian bug #588121 is partly affected by this issue as well.

Please accept the attached patch.

Thanks

Andi

-- System Information:
Debian Release: 6.0.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages chkrootkit depends on:
ii  binutils               2.20.1-16         The GNU assembler, linker and bina
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libc6                  2.11.3-4          Embedded GNU C Library: Shared lib
ii  net-tools              1.60-23           The NET-3 networking toolkit
ii  procps                 1:3.2.8-9squeeze1 /proc file system utilities

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- debconf information:
* chkrootkit/run_daily: false
  chkrootkit/run_daily_opts: -q
  chkrootkit/diff_mode: false

Author: Andreas Stempfhuber <a...@afulinux.de>
Description: The check for suspect PHP files is broken by design.
1. Any non-text file contents confuse the results of the grep if they match.
2. Not file names are printed, but file contents. That can't be what the check
is supposed to achieve.
This patch fixes '/usr/bin/find: head terminated by signal 13' errors and
prints affected file names instead of their content.
--- a/chkrootkit
+++ b/chkrootkit
@@ -1152,9 +1152,9 @@
       printn "Searching for suspect PHP files... "; fi
       files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name 
'*.php' 2> /dev/null`"
 if [ `echo abc | head -n 1` = "abc" ]; then
-      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f 
-exec head -n 1 {} \; | $egrep '#!.*php' 2> /dev/null`"
+      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f 
-exec sh -c 'head -n 1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} 
{} \;`"
 else
-      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f 
-exec head -1 {} \; | grep '#!.*php' 2> /dev/null`"
+      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f 
-exec sh -c 'head -1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} 
\;`"
 fi
    if [ "${files}" = "" -a "${fileshead}" = "" ]; then
       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi

Reply via email to