Logcheck devel - Oct 2010 - Bug#488212: denial-of-service (DOS) attack by anyone with syslog access (e.g. logger(1))

Package: logcheck
Version: 1.3.13
Severity: normal


Hit related issue, with USB device errors causing extremely large syslog and
kern.log files. Results in logcheck consuming excessive CPU.

Whilst there are many easy work arounds and perhaps this should be fixed with
the kernel logging or in syslogd, but occurred to me logcheck should have a
maximum file size limit at which it refuses to process the log.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser                       3.112      add and remove users and groups
ii  cron                          3.0pl1-115 process scheduling daemon
ii  lockfile-progs                0.1.15     Programs for locking and unlocking
ii  logtail                       1.3.13     Print log file lines that have not
ii  mime-construct                1.11       construct/send MIME messages from 
ii  postfix [mail-transport-agent 2.7.1-1    High-performance mail transport ag
ii  rsyslog [system-log-daemon]   4.6.4-1    enhanced multi-threaded syslogd

Versions of packages logcheck recommends:
ii  logcheck-database             1.3.13     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/cron.d/logcheck changed:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
@reboot         logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10
/usr/sbin/logcheck -R; fi
2 0,12 * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10
/usr/sbin/logcheck; fi

/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.logfiles'

-- no debconf information

also sprach Simon Waters <simon at technocool.net> [2010.10.26.0908
+0200]:
> Hit related issue, with USB device errors causing extremely large
> syslog and kern.log files. Results in logcheck consuming excessive
> CPU.
> 
> Whilst there are many easy work arounds and perhaps this should be
> fixed with the kernel logging or in syslogd, but occurred to me
> logcheck should have a maximum file size limit at which it refuses
> to process the log.
Patches welcome. Note that if someone chooses to spam your syslog
with logger, you have a completely different set of problems than
logcheck though.

-- 
 .''`.   martin f. krafft <madduck at d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20101026/e0da3ac5/attachment.pgp>