Bug#951338: libkeyutils1: rkhunter warns that libkeyutils.so.1.9 may contain a possible rootkit

Fri, 14 Feb 2020 11:24:49 -0800 

Control: severity -1 normal

Hi,

Francesco Poli (wintermute) wrote:
> After upgrading
> 
>   [UPGRADE] libkeyutils1:amd64 1.6-6 -> 1.6.1-2
> 
> I get the following warning with
> 
>   # rkhunter --sk -c 
> 
> in /var/log/rkhunter.log:
> 
>   Info: Starting test name 'running_procs'
>     Checking running processes for suspicious files [ Warning ]
>   Warning: The following processes are using suspicious files:
>            Command: sshd
>              UID: 0    PID: 7331
>              Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
>              Possible Rootkit: Spam tool component
[...]
> Does libkeyutils1/1.6.1-2 ship a rootkit?

Likely not. I looked through the whole diff between 1.6 and 1.6.1. At
least nothing suspicious like obfuscated code.

> Or is it a false positive from rkhunter?

Likely, because what triggers this is not the content of the file, but
the filename itself:

From "git blame files/rkhunter" in
https://salsa.debian.org/pkg-security-team/rkhunter:

c459dfa4 (Francois Marier 2014-10-14 23:24:53 +1300  9958)                      
 \[pdflush\]:IRC bot
eca1837f (Francois Marier 2017-07-01 20:33:17 -0700  9959)                      
 libkeyutils.so.1.9:Spam tool component
eca1837f (Francois Marier 2017-07-01 20:33:17 -0700  9960)                      
 .IptabLex:malware component

So it's solely the filename and it's in there since at least 2017.

And the change which triggered this warning is this commit:

commit 0f70f77491bb6976a2bf761224fec1a9cc6cfb87
Author: David Howells <dhowe...@redhat.com>
Date:   Wed May 29 23:37:15 2019 +0100

    Add support for KEYCTL_MOVE

    Signed-off-by: David Howells <dhowe...@redhat.com>

diff --git a/version.lds b/version.lds
index 9317222..9e78ea2 100644
--- a/version.lds
+++ b/version.lds
@@ -91,3 +91,9 @@ KEYUTILS_1.8 {
        keyctl_pkey_verify;

 } KEYUTILS_1.7;
 +
 +KEYUTILS_1.9 {
 +       /* Management functions */
 +       keyctl_move;
 +
 +} KEYUTILS_1.8;

Doesn't look like a rootkit addition to me, just bumping the SONAME.
(And the adding of KEYCTL_MOVE neither.) Lowering the severity to
default ("normal")...

IMHO this is a bug in rkhunter, but it could also be solved in
keyutils by bumping the SONAME again, i.e. skipping this SONAME
version explicitly. But feel free to reassign.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Attachment: signature.asc
Description: PGP signature

Reply via email to