Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517387 - rkhunter --propupd delivering 100% missing hashes
Summary: rkhunter --propupd delivering 100% missing hashes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 27
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-24 19:37 UTC by GMS
Modified: 2017-12-10 05:06 UTC (History)
5 users (show)

Fixed In Version: rkhunter-1.4.4-5.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-10 05:06:35 UTC


Attachments (Terms of Use)
problem analysis and a solution hack (deleted)
2017-11-24 19:37 UTC, GMS
no flags Details

Description GMS 2017-11-24 19:37:44 UTC
Created attachment 1358747 [details]
problem analysis and a solution hack

Description of problem:

Running "rkhunter --propupd" reports "... found 137, missing hashes 137".
It implies that subsequent rkhunter tests will be compromised.

Version-Release number of selected component (if applicable):

rkhunter-1.4.4-4.fc27.noarch

How reproducible:

See above

Steps to Reproduce:

As root run
rkhunter --propupd

Actual results:

[ Rootkit Hunter version 1.4.4 ]
File updated: searched for 174 files, found 137, missing hashes 137

Expected results:

[ Rootkit Hunter version 1.4.4 ]
File updated: searched for 174 files, found 137

Additional info:

See attachment (problem new since upgrade to Fedora 27; implies
an incompatibility in the new rpm's or fc27 packaging)

Comment 1 Kevin Fenzi 2017-11-24 21:39:28 UTC
Would you be willing to file this upstream on the rkhunter list? 

rkhunter-users@lists.sourceforge.net

Otherwise I can try and take a look and do so.

Comment 2 GMS 2017-11-25 13:35:37 UTC
(In reply to Kevin Fenzi from comment #1)
> Would you be willing to file this upstream on the rkhunter list? 
> 
> rkhunter-users@lists.sourceforge.net
> 
> Otherwise I can try and take a look and do so.

My issue is that I don't really see it as an rkhunter issue.
It happens because the rpm packaging CHANGED between fc26 and
fc27. As I don't know HOW the "header tag ARCH" wandered off
files and became a package tag (or if rpm just "condenses" it
from files into 1 property, or ...?) I would really like it
if somebody could figure that point out first. Is it something
you can change during the packaging? Is it an error in the
current rpm version? Is it Fedora-specific? It doesn't seem
to make sense to change rkhunter if there is a bad rpm version
out there. Of course if this is a part of rpm flexibility -
a feature - then by all means rkhunter should be changed.
And yes, my changes are a hack. I should use ${BLA} and instead
of "::" there should be a better placeholder and one should first
check how many values come for ARCH and the other items and...

Comment 3 Kevin Fenzi 2017-11-26 19:21:28 UTC
Yeah, so this was an intended change in rpm. The fix is just to add = in front of the ARCH querystring to get it to report for each other element of the array. 

I'll talk to upstream about the fix here and see about pushing out an update. 

Thanks for the bug report...

Comment 4 GMS 2017-11-27 13:01:27 UTC
(In reply to Kevin Fenzi from comment #3)
> Yeah, so this was an intended change in rpm. The fix is just to add = in
> front of the ARCH querystring to get it to report for each other element of
> the array. 
> 
> I'll talk to upstream about the fix here and see about pushing out an
> update. 
> 
> Thanks for the bug report...

Ah. That's interesting. Looking at it I can see the following behaviour:

--queryformat '[%{FILEMODES:octal}:...:%{ARCH}:...:%{FILENAMES}\n]'

under fc26 delivers value "(none)" for ARCH, but runs
under fc27 dies

--queryformat '[%{FILEMODES:octal}:...:%{=ARCH}:...:%{FILENAMES}\n]'

delivers the proper ARCH under both fc26 and fc27

CAVEAT: --queryformat '[%{=ARCH}\n]' gives a NULL response (no result)
  while --queryformat '[%{ARCH}\n]' gives a proper ARCH response
for both fc26 and fc27

Cheers,  George

Comment 5 Fedora Update System 2017-11-28 03:03:24 UTC
rkhunter-1.4.4-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3963fa646c

Comment 6 Fedora Update System 2017-11-29 01:46:17 UTC
rkhunter-1.4.4-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3963fa646c

Comment 7 Fedora Update System 2017-12-10 05:06:35 UTC
rkhunter-1.4.4-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.