Bug#531315: aptitude seems to use hidden processes, rendering HIDS systems like unhide nearly useless

[Christoph Anton Mitterer]

Package: aptitude
Version: 0.4.11.11-1+b1
Justification: user security hole
Severity: grave
Tags: security
Hi.


I'm running several intrusion detection systems, e.g. rkhunter (which  
in turn uses unhide). For quite some time now, unhide gave me false  
positives (I'm quite sure, that my system is not compromised), saying  
that hidden processes were found.

After some trying, it seems that these processes come from aptitude  
(e.g. when it's doing some operation, like starting up or so), though  
I'm not absolutely sure.

As this makes IDS nearly useless, at least for all the times when  
aptitude was running, I marked this bug grave/security,.... but please  
feel free to degrade this ;)


rkhunter just uses unhide to scan for hidden processes, so I  
concentrate on this.

Hidden processes are at least found, when using it in the "unhide sys"  
mode,... not sure about "unhide proc",... and "unhide brute" always  
segfaults for me.
The output is about the following:
Warning: Hidden processes found:  29662
29675
29686
29694
29704
29715
29721
29746
29752
30778
30811
31883
31895
31908
31921
621
629
712
756
779
786

But it's even possible that there are less processes found,.. but so  
far it was mostly in that range (1- about 20 processes)

Is it possible that this comes from aptitude?

I've also CC'ed the unhide maintainer,.. perhaps he can give some adivce.

Thanks,
Chris.

-- Package-specific info:
aptitude 0.4.11.11 compiled at Apr 16 2009 23:38:07
Compiler: g++ 4.3.3
Compiled against:
  apt version 4.6.0
  NCurses version 5.7
  libsigc++ version: 2.0.18
  Ept support enabled.

Current library versions:
  NCurses version: ncurses 5.7.20090523
  cwidget version: 0.5.12
  Apt version: 4.6.0
        linux-vdso.so.1 =>  (0x00007fff795ff000)
        libapt-pkg-libc6.9-6.so.4.7 =>  
/usr/lib/libapt-pkg-libc6.9-6.so.4.7 (0x00007fbc71091000)
        libncursesw.so.5 => /lib/libncursesw.so.5 (0x00007fbc70e46000)
        libsigc-2.0.so.0 => /usr/lib/libsigc-2.0.so.0 (0x00007fbc70c41000)
        libcwidget.so.3 => /usr/lib/libcwidget.so.3 (0x00007fbc7096e000)
        libept.so.0 => /usr/lib/libept.so.0 (0x00007fbc706f5000)
        libxapian.so.15 => /usr/lib/libxapian.so.15 (0x00007fbc70389000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00007fbc70172000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007fbc6ff57000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007fbc6fc48000)
        libm.so.6 => /lib/libm.so.6 (0x00007fbc6f9c5000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007fbc6f7aa000)
        libc.so.6 => /lib/libc.so.6 (0x00007fbc6f457000)
        libutil.so.1 => /lib/libutil.so.1 (0x00007fbc6f254000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007fbc6f050000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fbc71352000)
Terminal: xterm
$DISPLAY is set.
`which aptitude`: /usr/bin/aptitude
aptitude version information:

aptitude linkage:

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages aptitude depends on:
ii  apt [libapt-pkg-libc6. 0.7.21            Advanced front-end for dpkg
ii  libc6                  2.9-13            GNU C Library: Shared libraries
ii  libcwidget3            0.5.12-4          high-level terminal  
interface libr
ii  libept0                0.5.26+b1         High-level library for  
managing De
ii  libgcc1                1:4.4.0-5         GCC support library
ii  libncursesw5           5.7+20090523-1    shared libraries for  
terminal hand
ii  libsigc++-2.0-0c2a     2.0.18-2          type-safe Signal  
Framework for C++
ii  libstdc++6             4.4.0-5           The GNU Standard C++ Library v3
ii  libxapian15            1.0.12-2          Search engine library
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages aptitude recommends:
ii  aptitude-doc-en [aptitude-do 0.4.11.11-1 English manual for  
aptitude, a ter
ii  libparse-debianchangelog-per 1.1.1-2     parse Debian changelogs  
and output

Versions of packages aptitude suggests:
ii  debtags                       1.7.9+b1   Enables support for package tags
ii  tasksel                       2.79       Tool for selecting tasks  
for insta

-- no debconf information

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org