[cups] Potential Scheduler crash with security scan - web interface port

Dylan Stewart ds015516 at cerner.com
Thu May 12 15:12:59 PDT 2016


Dylan Stewart <ds015516 at ...> writes:

> 
> We are currently investigating a crash of the cupsd process that is giving
> minimal logging.   What we have found in the error_log is that there appears
> to be some interaction with the web interface right before the crash occurs.
>  So far we have only been able to get the default info level logging and
> will post debug logging if/when we can reproduce with that level of logging. 
> 
> We are currently using CUPS 1.4.7 (and we know this is old and are looking
> to upgrade but validation is pending).  We did not have any filesystems fill
> up and found nothing to note in /var/log/messages.   RHEL 6.4 and RHEL 6.6
> are the OS versions we have seen this on so far.
> 
> Here is an example of the most recent crash where the last entry was a login
> to the web interface:
> 
> I [30/Jan/2016:15:11:48 -0700] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [30/Jan/2016:15:12:04 -0700] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [30/Jan/2016:15:12:04 -0700] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [30/Jan/2016:15:12:33 -0700] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=87331)
> I [30/Jan/2016:15:12:33 -0700] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=87332)
> I [30/Jan/2016:15:12:33 -0700] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=87333)
> 
> ***Crash sometime here***
> 
> I [30/Jan/2016:17:31:25 -0700] Listening to 0.0.0.0:631 (IPv4)
> I [30/Jan/2016:17:31:25 -0700] Listening to [v1.::]:631 (IPv6)
> I [30/Jan/2016:17:31:25 -0700] Listening to /var/run/cups/cups.sock (Domain)
> W [30/Jan/2016:17:31:25 -0700] No limit for CUPS-Get-Document defined in
> policy default - using Send-Document's policy
> I [30/Jan/2016:17:31:25 -0700] Remote access is enabled.
> 
> Here is another instance that shows a login to the interface as well as some
> "Bad URI" calls:
> 
> I [29/Jan/2016:13:06:08 -0500] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [29/Jan/2016:13:06:09 -0500] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [29/Jan/2016:13:06:09 -0500] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [29/Jan/2016:13:06:20 -0500] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [29/Jan/2016:13:06:20 -0500] Saving job cache file
> "/var/cache/cups/job.cache"...
> I [29/Jan/2016:13:06:29 -0500] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=10554)
> I [29/Jan/2016:13:06:29 -0500] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=10563)
> E [29/Jan/2016:13:06:29 -0500] Bad URI "%." in request!
> E [29/Jan/2016:13:06:29 -0500] Bad URI "%server.policy" in request!
> E [29/Jan/2016:13:06:29 -0500] Bad URI "%login-config.xml" in request!
> E [29/Jan/2016:13:06:29 -0500] Bad URI "%org/jboss/version.properties" in
> request!
> E [29/Jan/2016:13:06:29 -0500] Bad URI "%org/jboss/version.properties" in
> request!
> I [29/Jan/2016:13:06:29 -0500] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=10609)
> I [29/Jan/2016:13:06:29 -0500] Started "/usr/lib/cups/cgi-bin/admin.cgi"
> (pid=10613)
> 
> ***Crash sometime here***
> 
> I [29/Jan/2016:14:39:01 -0500] Listening to 0.0.0.0:631 (IPv4)
> I [29/Jan/2016:14:39:01 -0500] Listening to [v1.::]:631 (IPv6)
> I [29/Jan/2016:14:39:01 -0500] Listening to /var/run/cups/cups.sock (Domain) 
> 
> Has anyone else seen something like this or know if this is corrected in a
> later version?
> 



Got some more information on this after getting a core dump but still not
sure the exact cause.   Found the following stack from the core:

Thread 1 (Thread 0x7ff19ea7e7c0 (LWP 56718)):
#0  0x00007ff19c280625 in raise () from /lib64/libc.so.6
#1  0x00007ff19c281e05 in abort () from /lib64/libc.so.6
#2  0x00007ff19c2be537 in __libc_message () from /lib64/libc.so.6
#3  0x00007ff19c2c3f4e in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ff19c2c6cf0 in _int_free () from /lib64/libc.so.6
#5  0x00007ff19eab04b3 in ?? ()
#6  0x00007ff19eae57d2 in ?? ()
#7  0x00007ff19eabfdea in main ()

Seems fairly generic but it does seem to be close to matching what Redhat
reports here: https://access.redhat.com/solutions/1202283

However when looking at the errata I am having trouble finding any of the
cups.org bugs included that indicate they would cause a crash.   

Do we know which fix RedHat included to fix this crash and if it is included
in 1.7.3 that we are working to validate?

Thank you,

Dylan Stewart






More information about the cups mailing list