Bug 68862 - logwatch hangs when processing kernel messages
logwatch hangs when processing kernel messages
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
Depends On:
  Show dependency treegraph
Reported: 2002-07-15 09:28 EDT by Carmelo A. Zizza
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-08-08 11:51:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Carmelo A. Zizza 2002-07-15 09:28:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
Logwatch will hang when processing kernel messages when it encounters and 
unresolvable IP name. Hackers will use spoofed IP addresses to gain access and 
therefor cause logwatch never to finish if it trys to lookup the hosts IP name. 
In a firewall configuration I recommend that the default Logwatch configuration 
should be to return IP addresses and not the hosts name.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Spoofed IP address
2. Generate some denied and logged traffic to your firewall.
3. Run logwatch and watch it choke on LookupIP

Actual Results:  Logwatch will remain running in the background until it is 
either killed or finishes it parsing of the kernel messages. Which could take 
longer then a day.

Expected Results:  Change to echo out IP address instead of name.

Additional info:

Change LookupIP function to be:

sub LookupIP {
   my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr);
   $Addr = $_[0];
   ($a1,$a2,$a3,$a4) = split /\./,$Addr;
   $PackedAddr = pack('C4',$a1,$a2,$a3,$a4);
#  if ($name = gethostbyaddr ($PackedAddr,2)) {
#     return ($name . " (" . $Addr . ")");
#  } else {
      return ($Addr);
#  }
Comment 1 Elliot Lee 2002-10-16 13:57:55 EDT
Fixed in logwatch-4.0

Note You need to log in before you can comment on or make changes to this bug.