On Sat, 15 Feb 2020 13:16:10 +0100 Christian Kastner wrote: > On 15.02.20 11:39, Francesco Poli wrote: [...] > > Is it wrong (or too late) to change that symbol into > > keyctl_move@KEYUTILS_1.10 ? > > Would that bump the SONAME again and generate libkeyutils.so.1.10 ? > > The SONAME didn't change, actually -- that's the benefit of symbol > versioning, instead of versioning the whole library. > > It's too late to change the symbol itself, IMO. What could be done is to > just change the library filename, but I feel it's a poor solution. We > can't start renaming things just because malware chooses to abuse that name.
I can agree with you on this. Thanks for the kind explanation! > > > I had to downgrade libkeyutils1 and pin it to version 1.6-6, in order > > to getting an annoying daily alert (via local mail) from rkhunter. > > I would love to see this issue solved soon. > > Researching this, I saw that Arch discovered this issue already last > August [1]. The third comment contains a whitelisting workaround for > rkhunter. > > Could I ask you to try this workaround, and report back if it worked? > > [1] https://bugs.archlinux.org/task/63369 That's interesting: I hadn't found the correct whitelist option to use. I added the following two lines to my rkhunter configuration file: $ grep keyutils /etc/rkhunter.conf RTKT_FILE_WHITELIST=/lib/x86_64-linux-gnu/libkeyutils.so.1.9 USER_FILEPROP_FILES_DIRS=/lib/x86_64-linux-gnu/libkeyutils.so.1.9 and this seems to work around the issue. Thanks a lot for your research effort, it is much appreciated! This bug report may probably be closed. In the meanwhile, I reported the corresponding [bug #951366] against rkhunter: let's see what the Debian Security Tools maintainers think... [bug #951366]: <https://bugs.debian.org/951366> -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpFr3dQ3CIZH.pgp
Description: PGP signature
