Bug 1234420 - chkrootkit warnings - l2cap
Summary: chkrootkit warnings - l2cap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: chkrootkit
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-22 14:02 UTC by DaveG
Modified: 2016-06-30 21:29 UTC (History)
5 users (show)

Fixed In Version: chkrootkit-0.50-8.fc22 chkrootkit-0.50-8.fc23 chkrootkit-0.50-8.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-30 14:52:37 UTC


Attachments (Terms of Use)

Description DaveG 2015-06-22 14:02:40 UTC
Description of problem:
Running chkrootkit generates a number of warnings:

warning, got bogus l2cap line.

Version-Release number of selected component (if applicable):
chkrootkit-0.50-4.fc22.x86_64
net-tools-2.0-0.31.20141124git.fc22.x86_64

How reproducible:
Install and run chkrootkit on a host with bluetooth support.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
chkrootkit is a set of bash scripts and uses netstat to look for network connections.

The warning comes from each invocation of netstat and can be produced by:

netstat -an --protocol=bluetooth
which produces:
Active Bluetooth connections (servers and established)
Proto  Destination       Source            State         PSM DCID   SCID      IMTU    OMTU Security
warning, got bogus l2cap line.
Proto  Destination       Source            State     Channel
netstat: no support for `AF BLUETOOTH' on this system.


Suggested fix:
Change netstat invocations to limit listing to the address family of interest.
Or, since net-tools is "end of life", switch to using ss from iproute.

Comment 1 Robert Story 2015-07-30 16:16:18 UTC
I think the component for this bug should be netstat, no chkrootkit, since that's where the issue lies. I'm seeing the same warning for netstat on F21 (net-tools-2.0-0.31.20141124git.fc21.x86_64).

# netstat -l
...
Active Bluetooth connections (only servers)
Proto  Destination       Source            State         PSM DCID   SCID      IMTU    OMTU Security
warning, got bogus l2cap line.
warning, got bogus l2cap line.
warning, got bogus l2cap line.
warning, got bogus l2cap line.
warning, got bogus l2cap line.

Comment 2 DaveG 2015-08-02 11:05:55 UTC
I filed the bug against chkrootkit after seeing that net-tools package (netstat) was marked "end of life" and is not likely to be updated in Fedora or upstream. I can live with errors from netstat since it is generally used interactively but error output from a root-kit scanner may cause unnecessary alarm.

I have "fixed" my own version by restricting the netstat protocol options but I'm no root-kit expert so I don't know if the affected Trojans only use IPv4/IPv6.

Quick fix:
- OPT=-an
+ OPT=-an46
in 4 places in chkrootkit script. One instance is quoted.

That fixes things for netstat for now but switching to ss would take considerably more effort.

Comment 3 Sergio Monteiro Basto 2015-08-17 01:10:09 UTC
Hi,

(In reply to DaveG from comment #2)
> I filed the bug against chkrootkit after seeing that net-tools package
> (netstat) was marked "end of life" and is not likely to be updated in Fedora
> or upstream.

what will be the netstat replacement ? 

Thanks,

Comment 4 manuel wolfshant 2015-08-17 06:55:32 UTC
(In reply to Sergio Monteiro Basto from comment #3)
> Hi,
> 
> (In reply to DaveG from comment #2)
> > I filed the bug against chkrootkit after seeing that net-tools package
> > (netstat) was marked "end of life" and is not likely to be updated in Fedora
> > or upstream.
> 
> what will be the netstat replacement ? 
> 
ss

Comment 5 DaveG 2015-08-17 08:24:10 UTC
Yes, 'ss' from the iproute package. Similar output but different format.

Comment 6 Sergio Monteiro Basto 2015-08-19 22:44:51 UTC
Thanks  :)

Comment 7 Gwyn Ciesla 2016-06-20 14:35:51 UTC
Does this still occur with ss?

Comment 8 Fedora Update System 2016-06-20 20:09:39 UTC
chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 9 Fedora Update System 2016-06-20 20:09:50 UTC
chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 10 Fedora Update System 2016-06-20 20:09:57 UTC
chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 11 Fedora Update System 2016-06-22 02:26:50 UTC
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

Comment 12 Fedora Update System 2016-06-22 02:27:18 UTC
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

Comment 13 Fedora Update System 2016-06-22 02:55:19 UTC
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

Comment 14 Fedora Update System 2016-06-30 14:52:30 UTC
chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-06-30 19:53:17 UTC
chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-06-30 21:29:10 UTC
chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.