ports/68029: chkrootkit 0.43 (ports/security/chkrootkit) false positive on FreeBSD 4.10-RELEASE

[KOJIMA Hajime]

>Number:         68029
>Category:       ports
>Synopsis:       chkrootkit 0.43 (ports/security/chkrootkit) false positive on FreeBSD 4.10-RELEASE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 17 03:50:25 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     KOJIMA Hajime
>Release:        FreeBSD 4.10-RELEASE i386
>Organization:
Ryukoku University
>Environment:
System: FreeBSD yukikaze.st.ryukoku.ac.jp 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Wed Jun 9 19:31:58 JST 2004 kjm at yukikaze2.st.ryukoku.ac.jp:/usr/obj/usr/src/sys/YUKIKAZE i386

>Description:

    chkrootkit 0.43 (ports/security/chkrootkit) on FreeBSD 4.10-RELEASE 
    reports as:

Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `date'... INFECTED

    but, chfn / chsh / date command is not infected.
    its false positive.
	
>How-To-Repeat:

    run /usr/local/sbin/chkrootkit script.
	
>Fix:

--- chkrootkit	Thu Jun 17 12:14:25 2004
+++ chkrootkit	Thu Jun 17 12:17:33 2004
@@ -2401,6 +2401,12 @@
    V=44
 else
    V=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+
+   # fix for FreeBSD 4.10-RELEASE and later
+   V2=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\..*//g'`
+   if [ "${SYSTEM}" = "FreeBSD" -a $V -gt 400 -a $V2 = 4 ]; then
+      V=49
+   fi
 fi
 
 # ps command
>Release-Note:
>Audit-Trail:
>Unformatted: