chkrootkit.x86_64 0.57-8.fc42 when invoked with redirection (2>&1 >otherfilename) creates a spurious empty file called "1" Problem occurs no matter if /usr/bin/chrootkit, /usr/sbin/chrootkit or /usr/lib64/chkrootkit-0.57/chkrootkit are invoked. Shell being used is /bin/bash (5.2.37(1)-release / bash.x86_64 5.2.37-1.fc42) My invocation is usually via cron, but occurs outside of cron too. Reproducible: Always Steps to Reproduce: 1. /usr/lib64/chkrootkit-0.57/chkrootkit 2>&1 >chkrootkit.$DATE 2. ls -l 1 -rw-rw----. 1 root root 0 Apr 28 13:13 1 3. This would seem to be some kind of redirection interpretation occurring within the shell script that does not act as expected. Actual Results: Empty file called "1" created that should not happen. Expected Results: No spurious file creation. Additional Information: I cannot reproduce this behaviour with any other shell scripts I use. Placing the redirection after the destination file also does not affect the behaviour, eg. /usr/lib64/chkrootkit-0.57/chkrootkit >chkrootkit.$DATE 2>&1 Notably chkrootkit-0.57-8.fc42 was installed on the 24th April, & the run of it just prior to that event (0.57-8) created the spurious file in /usr/lib64/chkrootkit-0.57 ls -l /usr/lib64/chkrootkit-0.57/1 -rw-rw----. 1 root root 0 Apr 24 03:12 1 now it's created in the directory where the command is invoked. So it's possible that the problem was actually in the invocation through consolehelper, although I thought I'd proved that was not the case by invoking /usr/lib64/chkrootkit-0.57/chkrootkit directly. Also I started getting this PAM error when chkrootkit-0.57-8.fc42 was installed... Apr 25 03:16:03 XXXXXX userhelper[181829]: pam_timestamp(chkrootkit:session): updated timestamp file `/var/run/pam_timestamp/root/unknown' Apr 25 03:16:03 XXXXXX userhelper[181830]: running '/usr/lib64/chkrootkit-0.57/chkrootkit' with root privileges on behalf of 'root' in /var/log/secure when it's run via "userhelper" but not when invoked directly (as root from a cron job) I assume this is when chkrootkit started using the "userhelper"/"consolehelper"(symlink) I also now realise that the previous version was chkrootkit-0:0.57-7.fc41 ie. I was previously running FC41.
I had not noticed the file /usr/lib64/chkrootkit-0.57/1 being created in that place (why would I?) but now it's somewhere I don't expect it...
Looks like this is fixed in 0.58 b, I'll get that out.
FEDORA-2025-9d30a80218 (chkrootkit-0.58-0b.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-9d30a80218
FEDORA-2025-63ecf7fc82 (chkrootkit-0.58-0b.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-63ecf7fc82
FEDORA-2025-9d30a80218 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-9d30a80218` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-9d30a80218 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-63ecf7fc82 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-63ecf7fc82` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-63ecf7fc82 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Thanks. I assume you just mean the "1" file creation problem? The pam errors are expected? or related to an additional pam problem?
That's correct; I can't reproduce the pam errors.
The pam error, (chkrootkit:session): updated timestamp file `/var/run/pam_timestamp/root/unknown' occurs if the symlinks (/usr/bin/chkrootkit or /usr/sbin/chkrootkit) are used from a cron script & are generated by "userhelper". So I guess if I continue to use the symlinks (which I'll now avoid) I'll have to report it as a bug against userhelper.
FEDORA-2025-9d30a80218 (chkrootkit-0.58-0b.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-63ecf7fc82 (chkrootkit-0.58-0b.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
Sorry to reopen, but... The file /usr/lib64/chkrootkit-0.57/1 persists & is not removed along with the dir. /usr/lib64/chkrootkit-0.57 by the install of chkrootkit-0.58-0b Of course it's easy to remove, if you know about it.