Bug 246545 - Cups fills up logfiles if queue is turned on
Summary: Cups fills up logfiles if queue is turned on
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: cups   
(Show other bugs)
Version: 3.9
Hardware: All Linux
low
high
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-02 23:19 UTC by Stephen John Smoogen
Modified: 2018-10-19 19:48 UTC (History)
3 users (show)

Fixed In Version: RHSA-2008-0153
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-25 14:09:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0153 normal SHIPPED_LIVE Important: cups security update 2008-02-25 14:08:58 UTC

Description Stephen John Smoogen 2007-07-02 23:19:50 UTC
Description of problem:

|  Case Information  |
---------------------------------------
Case Title       : cups client log fills up rapidly
Case Number      : 1589030
Case Open Date   : 25-JUN-2007


Version-Release number of selected component (if applicable):

cups-1.1.17-13.3.43

How reproducible:

100% if BrowsePoll is turned on.

Steps to Reproduce:
1. Set up a cups server
2. Set up client to use BrowsePoll
3. Watch logs fill up
  
The problem is with cups-polling.patch

+    fprintf(stderr, "DEBUG: %s found %d %s.\n", prefix, max_count,
+            op == CUPS_GET_PRINTERS ? "printers" : "classes");
+

+                type, state, uri, location, info, make_model);
+
+        fprintf(stderr, "DEBUG2: %s Sending %s", prefix, packet);

These do not look like they have been properly 'wrapped' so that log levels are
being used. This causes the logs to fill up as long as logs are active.

Comment 1 Tim Waugh 2007-07-03 10:01:52 UTC
+    fprintf(stderr, "DEBUG: %s found %d %s.\n", prefix, max_count,
+            op == CUPS_GET_PRINTERS ? "printers" : "classes");

This includes a newline at the end of the text.

+        fprintf(stderr, "DEBUG2: %s Sending %s", prefix, packet);

Here, 'packet' ends in a newline (see the snprintf statement directly above that
line):

        snprintf(packet, sizeof(packet), "%x %x %s \"%s\" \"%s\" \"%s\"\n",

What does this say?:

grep ^LogLevel /etc/cups/cupsd.conf


Comment 2 Stephen John Smoogen 2007-07-03 18:34:11 UTC
grep ^LogLevel /etc/cups/cupsd.conf
LogLevel info

E [03/Jul/2007:12:33:09 -0600] DEBUG2: [cups-polld 64.106.76.106:631] Sending 3
3 ipp://print2.unm.edu:631/classes/ljea3 "ESC 108" "ESC 108" "Local Printer Class"
E [03/Jul/2007:12:33:09 -0600] DEBUG2: [cups-polld 129.24.9.40:631] Sending 3 3
ipp://print.unm.edu:631/classes/ljea3 "ESC 108" "ESC 108" "Local Printer Class"

We get tons of these every minute.

The only way we could get it off was to set LogLevel 0

Comment 3 Tim Waugh 2007-07-05 11:49:00 UTC
Oh dear, sorry. :-(

Indeed, UpdatePolling() in dirsvc.c from cupsd does this to messages from
cups-polld:

    LogMessage(L_ERROR, "%s", buffer);

The fix would be to remove the cups-polld debug messages altogether.

Stephen, did you say you had filed a support request for this issue?

Comment 4 Stephen John Smoogen 2007-07-06 03:09:44 UTC
Yes... it is listed as 1589030. Its funny that I think my other bugzilla helped
cause this problem :).

Comment 7 Stephen John Smoogen 2008-01-30 02:24:10 UTC
Ok I am going to ask that this be moved to a security problem. Server had cups
turned on and filled up logs. We were then unable to get the logs of the people
who later broke into the server. 

Comment 8 Josh Bressers 2008-01-30 21:14:52 UTC
I'm most interested in how a remote attacker used CUPS to break into a server. 
We are not aware of any outstanding flaws in CUPS that could lead to this outcome.

Did you preserve an image of this machine by chance?

I'm not willing to call this a security bug given there are countless ways to
fill up server log files.  A diligent admin should keep an eye on things like
disk space.

If you think I'm missing something here, please do let me know.

Comment 9 Stephen John Smoogen 2008-01-30 21:45:26 UTC
Sorry.. the break in was unrelated to cups... but cups made it impossible to
figure out what was going on the system.

The breakin probably occurred due to bad password. However all the logging
programs were not able to say what/who did it. The issue is that currently if
you have cups turned on with browsepoll, it can fill up a gig in a day or two
due to this BUG in it. Box was built on Friday, box was broken into over
weekend, and all I have is a couple hundred megs of cups logs. 

Comment 17 errata-xmlrpc 2008-02-25 14:09:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0153.html



Note You need to log in before you can comment on or make changes to this bug.