Bug 67606

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615
Debian/1.0.0-3

Description of problem:
One of the scripts in logwatch tries to expand lines like

  previous message repeated 110229 times

into 110230 repetitions of the line in a temporary file.  If there are many such
messages, or if the counts are very large, then the machine can run out of disk
space or even VM.  

This occurred on one of our machines when it was apparently attacked by somebody
looking for CDE or portmapper vulnerabilities -- it received many thousands of
probe packets, which were detected and logged by portsentry via syslogd.  So far
so good.  However, when the cron job ran, the machine worked itself into a state
of near exhaustion trying to expand the log file entries.  So what should have
been a minor security warning turned into a major problem for machine
availability.  At the point where I interrupted it, the temporary file was 60GB
(sparse) and growing.

You can imagine a malicious local user provoking the bug by just writing a
single syslog message that looks like an enormous repeat count.

It seems to me that this is a design flaw in logwatch.  I think we will just
turn it off for the time being.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Do something to get a "previous message repeated n times" message in
/var/log/messages, for large n
2. Start the cron job
3.
	

Actual Results:  Machine grinds to a halt, with an enormous tmp file

Expected Results:  Should have got the regular warning message, but without
using so much disk space.

Additional info:

Possibly this has been fixed in a later version of logwatch?  I don't know
because their web site seems to be unreachable at the moment.