From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615 Debian/1.0.0-3 Description of problem: One of the scripts in logwatch tries to expand lines like previous message repeated 110229 times into 110230 repetitions of the line in a temporary file. If there are many such messages, or if the counts are very large, then the machine can run out of disk space or even VM. This occurred on one of our machines when it was apparently attacked by somebody looking for CDE or portmapper vulnerabilities -- it received many thousands of probe packets, which were detected and logged by portsentry via syslogd. So far so good. However, when the cron job ran, the machine worked itself into a state of near exhaustion trying to expand the log file entries. So what should have been a minor security warning turned into a major problem for machine availability. At the point where I interrupted it, the temporary file was 60GB (sparse) and growing. You can imagine a malicious local user provoking the bug by just writing a single syslog message that looks like an enormous repeat count. It seems to me that this is a design flaw in logwatch. I think we will just turn it off for the time being. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Do something to get a "previous message repeated n times" message in /var/log/messages, for large n 2. Start the cron job 3. Actual Results: Machine grinds to a halt, with an enormous tmp file Expected Results: Should have got the regular warning message, but without using so much disk space. Additional info: Possibly this has been fixed in a later version of logwatch? I don't know because their web site seems to be unreachable at the moment.
Fixed in 2.6-6 (removed expandrepeats)