Bug 68862 - logwatch hangs when processing kernel messages
Summary: logwatch hangs when processing kernel messages
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logwatch
Version: 7.2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-07-15 13:28 UTC by Carmelo A. Zizza
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-08-08 15:51:04 UTC
Embargoed:


Attachments (Terms of Use)

Description Carmelo A. Zizza 2002-07-15 13:28:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
Logwatch will hang when processing kernel messages when it encounters and 
unresolvable IP name. Hackers will use spoofed IP addresses to gain access and 
therefor cause logwatch never to finish if it trys to lookup the hosts IP name. 
In a firewall configuration I recommend that the default Logwatch configuration 
should be to return IP addresses and not the hosts name.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Spoofed IP address
2. Generate some denied and logged traffic to your firewall.
3. Run logwatch and watch it choke on LookupIP
	

Actual Results:  Logwatch will remain running in the background until it is 
either killed or finishes it parsing of the kernel messages. Which could take 
longer then a day.

Expected Results:  Change to echo out IP address instead of name.

Additional info:

Change LookupIP function to be:

sub LookupIP {
   my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr);
   $Addr = $_[0];
   ($a1,$a2,$a3,$a4) = split /\./,$Addr;
   $PackedAddr = pack('C4',$a1,$a2,$a3,$a4);
#  if ($name = gethostbyaddr ($PackedAddr,2)) {
#     return ($name . " (" . $Addr . ")");
#  } else {
      return ($Addr);
#  }
}

Comment 1 Elliot Lee 2002-10-16 17:57:55 UTC
Fixed in logwatch-4.0


Note You need to log in before you can comment on or make changes to this bug.