From nobody Wed Jul 7 19:49:36 2021 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5C2728D656C for ; Wed, 7 Jul 2021 19:49:48 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GKql01nD6z4qxt for ; Wed, 7 Jul 2021 19:49:48 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qv1-xf2b.google.com with SMTP id c5so1632401qvu.11 for ; Wed, 07 Jul 2021 12:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8xXRzOnXvWogURprUopV0NDPpYTb05HgarjB9AxDixc=; b=uMA4DP2xYli3X43K0Ht1OsfFEM7Hi/0DJvgzSKlPVJhI5f+7sazazDHRI1TcA83s7t EEZdXCT+LEIvOXzfE3U+hAkjhWWOMMDikcnjvj9DrFXQYv/tPLav+tjmdGNKwpFPOfJj H2qols3CrjOxHVsNIOm6suwyhPp0xcdheF926/QLsQriH08RTHkznVW9csbU9lRKJDmi 3ulPIagkYvzW+D1l/XsDC/Sw4A/EBlOJVKSSdaX11CiQy11OA0IJtzeqTUQZ9nfysviZ 9MVREabJfzZZYs5/snyNInpTRyOlphurTBPKAtLfJTHfEdQ2fBQCAapfdEF13vyXBj4N 6yyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8xXRzOnXvWogURprUopV0NDPpYTb05HgarjB9AxDixc=; b=G/bqzCRaBPZtrww+D5JJa8umq+8ppMH0wNfssR+0DhKRIZblIEJNeRDoWIz7P8fOW2 ncn0s9oYIAWXpO4sD2HWavGac5R5CEgh6DUfHQyZIu4GUsw4hfmrlkfwxkbc8XrzJPxz RWiiq4ieIVtY8rgWx7BNpP+KVhZ05D2GSah0VXB/+UXgEcnFH8rOi1QaHlnIyzvQQix9 OguBj9Xngo1qQu1oSdqWuovLCNkOLLKlGUjzPx+RCRoFyeb79nUCQaTz1o166s7J1/Xq dVGEpcznGxOId+LEVOynCjt/jVnFzGwrMqz/SwysXX4lokvAFZ7z147ouCZcVIWM+rVr qtDA== X-Gm-Message-State: AOAM530x/TZicFTEN7DlCzkZKBTwOoMpmJNWirUb5vZgM18vnOU0S23k OMBo/UeNXHdCav4ZN/HQmcieuA8AvhqDUaLkVKTNug== X-Google-Smtp-Source: ABdhPJxlbeRBgjjt/tWDEWhLfeVHA8huK3ALjafZGsXgxr2T5rRZvmlh3SJtU0ADgecjPLktt1kJ56OLFBwR2DUR+3k= X-Received: by 2002:a05:6214:1a0f:: with SMTP id fh15mr25603073qvb.29.1625687387094; Wed, 07 Jul 2021 12:49:47 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 References: <416D3033-138D-4BBB-84FA-FAEA2944C837@ellael.org> <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> In-Reply-To: <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> From: Warner Losh Date: Wed, 7 Jul 2021 13:49:36 -0600 Message-ID: Subject: Re: security/rkhunter without hashes after recent STABLE-13 update To: Michael Grimm Cc: FreeBSD-STABLE Mailing List , FreeBSD ports , lukasz@wasikowski.net, Stefan Esser Content-Type: multipart/mixed; boundary="00000000000039818a05c68dd76d" X-Rspamd-Queue-Id: 4GKql01nD6z4qxt X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: Y --00000000000039818a05c68dd76d Content-Type: multipart/alternative; boundary="00000000000039818805c68dd76b" --00000000000039818805c68dd76b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm wrote: > Warner Losh wrote: > > On Wed, Jul 7, 2021 at 9:26 AM Michael Grimm > wrote: > >> Warner Losh wrote: > > >>> What's the hash that you have at n246157? I think it should be > fd5b08977630. > >> > >> No, it's stable/13-n246157-fd5b0897763 > >> > >> I will give a n246188+ user land a try, and ... > > > > Great. Please do let me know... I started this for compatibility so I > > didn't have > > to keep hacking simple scripts for FreeBSD and if something is screwed = up > > that means it's falling short of the goal... > > > >>> So the change is expected, but if the change to all the *sum programs > is > >>> incompatible still, I know I'd like to know (as I'm sure se@ would as > >>> well). All the *sum programs are very new and designed to be 100% > >>> compatible with the linux versions and if they aren't that needs to b= e > >>> fixed. > >> > >> =E2=80=A6 I will report back. > > > > Excellent! > > I am running stable/13-n246205-9e06b34bb5d, now. > > But I do have to report that rkhunter is still lacking to calculate hashe= s > when using sha256sum instead of sha256. > > In a previous mail you wrote: "I recently added the 'sum' variations". > Does that mean that sha256sum (et al.) didn't exist before? That could > explain why rkhunter didn't fail before. > Yes. It was merged in commit c0d5665be0 on June 28th. > Example output: > > KBN> sha256 crontab.mike > SHA256 (test.dat) =3D > 829f9293639f1a590757bf3eaa369c102b071ef450d3f196e29d5c810f23a2c9 > > KBN> sha256sum test.dat > 829f9293639f1a590757bf3eaa369c102b071ef450d3f196e29d5c810f23a2c9 > test.dat > > If I am not mistaken does rkhunter cut that output string into relevant > junks. In both cases the hash is at different positions, though ... > That output looks right to my eye. I see identical output between my ubuntu VMs and my freebsd box. > > > Sorry for any hassle this work is causing. > > No big deal for rkhunter, a workaround exists ;-) > I think the reason is that it automatically switched to using sha256sum because it was present, but it didn't automatically change #HASH_FLD_IDX=3D= 4 to be 1. The shell script is tricky enough that I've not looked through it all. I'd argue this is a bug in the get_sha_hash_function which doesn't adjust the HASH_FLD_IDX based on which version it finds. Instead, it sets it unconditionally to 4 on *BSD or DragonFly. Warner P.S. I think it needs something like the following updated patch-files_rkhunter and/or changes upstream. I don't know what this port does, apart from what I've just read. Can you see if this fixes this? --00000000000039818805c68dd76b-- --00000000000039818a05c68dd76d--