Bug#1049411: chkrootkit: Possible Adore Worm in ansible

[Santiago Vila]

Package: chkrootkit
Version: 0.54-1

Dear maintainer:

On a Debian system with ansible and chkrootkit installed,
chkrootkit warns that ansible has possibly the Adore Worm.

This is the output from Debian 12:

Searching for Adore Worm... WARNING

WARNING: Possible Adore Worm installed:
/usr/lib/python3/dist-packages/ansible_collections/cyberark/conjur/dev/start.sh

(But I noticed this happens at least since Debian 11, so I'm using the Version from
bullseye accordingly).

Thanks.

[Richard Lewis]

On Tue, 15 Aug 2023 at 12:51, Santiago Vila <san...@debian.org> wrote:

> On a Debian system with ansible and chkrootkit installed,
> chkrootkit warns that ansible has possibly the Adore Worm.

> WARNING: Possible Adore Worm installed:
> /usr/lib/python3/dist-packages/ansible_collections/cyberark/conjur/dev/start.sh

The test from upstream simply flags any file under /usr/lib that is named start.sh as a possible adore worm. This is a classic example of a false positive -- ansible  seems to be the only package providing such a file, so it is best to leave users to filter or change the report to ignore or hide the message: see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz for various ways to do this.

-- we can add this as an example to that file
-- one thing we could also do, is to have chkrootkit check if files are from packages with 'dpkg -S'  which would give the user more information about where files came from