Red Hat Bugzilla – Bug 67606
expandrepeats can cause resource exhaustion
Last modified: 2008-05-01 11:38:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615
Description of problem:
One of the scripts in logwatch tries to expand lines like
previous message repeated 110229 times
into 110230 repetitions of the line in a temporary file. If there are many such
messages, or if the counts are very large, then the machine can run out of disk
space or even VM.
This occurred on one of our machines when it was apparently attacked by somebody
looking for CDE or portmapper vulnerabilities -- it received many thousands of
probe packets, which were detected and logged by portsentry via syslogd. So far
so good. However, when the cron job ran, the machine worked itself into a state
of near exhaustion trying to expand the log file entries. So what should have
been a minor security warning turned into a major problem for machine
availability. At the point where I interrupted it, the temporary file was 60GB
(sparse) and growing.
You can imagine a malicious local user provoking the bug by just writing a
single syslog message that looks like an enormous repeat count.
It seems to me that this is a design flaw in logwatch. I think we will just
turn it off for the time being.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Do something to get a "previous message repeated n times" message in
/var/log/messages, for large n
2. Start the cron job
Actual Results: Machine grinds to a halt, with an enormous tmp file
Expected Results: Should have got the regular warning message, but without
using so much disk space.
Possibly this has been fixed in a later version of logwatch? I don't know
because their web site seems to be unreachable at the moment.
Fixed in 2.6-6 (removed expandrepeats)