From nobody Wed Jul 7 20:35:11 2021 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AA33511E57CF for ; Wed, 7 Jul 2021 20:35:23 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GKrlb4CDxz3Fr3 for ; Wed, 7 Jul 2021 20:35:23 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qk1-x730.google.com with SMTP id a6so3386678qka.4 for ; Wed, 07 Jul 2021 13:35:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mt4aGFeJFm0bRlWk0thJbpob1HfBnajMuEKpBs/z9DY=; b=dVwQbD9fkt+7SAoh8ElizcSdW0jVZvHwLCRLoP1v6Mq58Tm6ohTkN6ByxfFH6leDD4 E0Qg40+j8z1+WwdQlDptHjaXziAQm36wKVixfDi+JC6mgjh1VL1XKw+Mh8LPWhDi7kNi VFxmq9Jp+JVWTOzaxMyF0p6nYPDiPjrKj+SajOepODz/lBpW+CSS5ogodH59GZp2eXml 6a5MlHk6SvrSduK4wuozvq5iVi84N7tUMhCBUUvnGRre/j7EqO9BbQJC9b9ju1aqLDgu NO3spl6MkZgZHt1c6gbzifMv5oGBtMpIzf55EIgkrvJviwvwBDWXMPQZ1bFyQczCUksI KUww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mt4aGFeJFm0bRlWk0thJbpob1HfBnajMuEKpBs/z9DY=; b=p76+/KPCXOSBkn+eFycvH0hDp5K0Vhb1PSOaXxPywkdohAi0zh2XTEQtOXZBmozgSt Ix9W3gqape7BRxbZdIbeDCIILceXANsl/oJCwrCjAEUR2oRHrwhtbVccrw7w+dnFAsEx VIp2Bu7pOlxlet64939Rr/yPsyjUzwoKfnW2eo2IMP1+TH2Fdi48jGmYtI0lRSZn3hWM eyl7t8Dm4tB5B2Fu9F/CS11NU/KSOZPP/9oFXEngWEDhsZzcoYhF2yRdIw0bb8pSfUm+ vzRrs9YBfQvcyaqa/0I1mWaKVXrBEo33puUaeZ6cAN8Ub2NwPsMMYX4O2TGLhCMnP9g9 Fc2Q== X-Gm-Message-State: AOAM5306Chw8pAF0ngeZWMkxfWfUtTYsutX4NO9aTpnuXMLDmLBMYnsK TZv9tJK15x0pH5Xm6uonOSSVjg+LXs+gTsgE5dT3PA== X-Google-Smtp-Source: ABdhPJypEiAD8Wm4PDQuJx1/PlC4mFgkLE428R5ijiwRxcyQhhK4jGXb9TzPrphPatBhpYg4ugDRpyPEceF6AL6MWJc= X-Received: by 2002:a05:620a:8:: with SMTP id j8mr11785801qki.44.1625690122654; Wed, 07 Jul 2021 13:35:22 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 References: <416D3033-138D-4BBB-84FA-FAEA2944C837@ellael.org> <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> <0B2C7AEA-27C6-4259-9DCF-D20C19737A50@ellael.org> In-Reply-To: <0B2C7AEA-27C6-4259-9DCF-D20C19737A50@ellael.org> From: Warner Losh Date: Wed, 7 Jul 2021 14:35:11 -0600 Message-ID: Subject: Re: security/rkhunter without hashes after recent STABLE-13 update To: Michael Grimm Cc: FreeBSD-STABLE Mailing List , FreeBSD ports , lukasz@wasikowski.net, Stefan Esser Content-Type: multipart/alternative; boundary="00000000000046a4fd05c68e7ae5" X-Rspamd-Queue-Id: 4GKrlb4CDxz3Fr3 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: Y --00000000000046a4fd05c68e7ae5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jul 7, 2021 at 2:24 PM Michael Grimm wrote: > Warner Losh wrote: > > > > On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm > wrote: > >> Warner Losh wrote: > > >>> Sorry for any hassle this work is causing. > >> > >> No big deal for rkhunter, a workaround exists ;-) > > > > I think the reason is that it automatically switched to using sha256sum > > because it was present, but it didn't automatically change > #HASH_FLD_IDX=3D4 > > to be 1. The shell script is tricky enough that I've not looked through > it > > all. I'd argue this is a bug in the get_sha_hash_function which doesn't > > adjust the HASH_FLD_IDX based on which version it finds. Instead, it se= ts > > it unconditionally to 4 on *BSD or DragonFly. > > > > Warner > > > > P.S. I think it needs something like the following updated > > patch-files_rkhunter and/or changes upstream. I don't know what this po= rt > > does, apart from what I've just read. Can you see if this fixes this? > > > Your rkhunter script seems to be different to mine =E2=80=A6 > > MWN> patch < rkhunter.diff > Hmm... Looks like a unified diff to me=E2=80=A6 > The text leading up to this was: > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > |--- files/rkhunter.orig 2018-02-24 16:08:27.000000000 -07= 00 > |+++ files/rkhunter 2021-07-07 13:38:56.094378000 -0600 > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > Patching file rkhunter using Plan A=E2=80=A6 > Hunk #1 succeeded at 4751. > Hunk #2 failed at 7525. > Hunk #3 succeeded at 19734 (offset 3 lines). > Hunk #4 failed at 19810. > 2 out of 4 hunks failed--saving rejects to rkhunter.rej > done > > But anyway, you nailed it! That fixes rkhunter. It will now produce hashe= s > for both /sbin/sha256 and /sbin/sha256sum. > > The attached patch (diff to new rkhunter script with both succeeding > hunks) will work for the rkhunter-1.4.6 script. > Great! I see you've cc'd lukasz. I'll assume that he can commit it, but if there's an issue, please let me know! Warner > Thanks and with kind regards, > Michael > > > --00000000000046a4fd05c68e7ae5--