On Fri, 14 Feb 2020 20:21:32 +0100 Axel Beckert wrote: [...] > Hi,
Hello Axel, thanks a lot for looking into my bug report! > > Francesco Poli (wintermute) wrote: [...] > > Does libkeyutils1/1.6.1-2 ship a rootkit? > > Likely not. I looked through the whole diff between 1.6 and 1.6.1. At > least nothing suspicious like obfuscated code. And the .deb package builds in a [reproducible] manner, with the checksum of libkeyutils1_1.6.1-2_amd64.deb shown by tests.reproducible-builds.org identical to that of the same .deb package in my /var/cache/apt/archives/ Hence, even looking at the *source* differences should be enough to be reasonably sure... [reproducible]: <https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/keyutils.html> > > > Or is it a false positive from rkhunter? > > Likely, because what triggers this is not the content of the file, but > the filename itself [...] > Doesn't look like a rootkit addition to me, just bumping the SONAME. > (And the adding of KEYCTL_MOVE neither.) Lowering the severity to > default ("normal")... [...] I agree. Thanks again for the very prompt analysis! -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpg4XnMH74Yg.pgp
Description: PGP signature
