Ubuntu
pads package

defective log entries from pads in /var/log/messages

Bug #282590 reported by Peer Janssen
6
Affects Status Importance Assigned to Milestone
pads (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: pads

In messages, I found discontiguous log entries like this:

Oct 12 22:43:27 xxxx Found: Port - 80 / Host - 209.67.233.146 / Service - www / Application - Apache 2.0.46 (CentOS) [*] Asset Found: Port - 80
 / Host - 38.98.19.125 / Service - www / Application - Apache 2.2.6 (Unix) [*] Asset Found: Port - 80 / Host - 209.67.233.140 / Service - www / A
pplication - Apache [*] Asset Found: Port - 80 / Host - 84.19.183.157 / Service - www / Application - Apache 1.3.33 (Debian GNU/Linux) [*] Asset
Found: Port - 80 / Host - 64.34.180.144 / Service - www / Application - lighttpd/1.5.0 [*] Asset Found: Port - 80 / Host - 80.157.151.28 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 208.245.211.8 / Service - www / Application - Apache 2.2.3 (Debian) [*] Asset Found: Port - 80 / Host - 80.157.151.17 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 80.157.151.42 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 80.157.151.9 / Service - www / Application - Apache 1.3.37 (Unix) [*] Asset Found: Port - 80 / Host - 8

These are produced while browsing websites. They are repeated on some irregular intervall seemingly depending on the frequency of browsing (e.g. discovering new assets, speaking pads terminology).

If you ever saw the assets.csv produced by package pads, it's obvious that these entries come from that package.

The worrying thing is the discontiguous, uncomplete and unexpected nature of the entries. They don't start/end in a sensible manner (e.g. aligned to field boundaries s of the "real" pads log entries into assets.csv), and entries following one another do not constitute a complete "log" because parts are missing. This kind of log should not exist anyway, I don't see any reason why this package produce any such kind of /var/log/messages log entry as the logged assets are correctly, simultaneously and appropriately (=expectedly) logged in said assets.csv as they should.

Conclusion: Something quite more disturbing than just some defect log entry might be going on, maybe memory corruption, some wrong function call or such.
Since this package is used in conjunction with networking auditing and runs on network capture files or promiscuous mode interfaces, it might be security relevant.

This is on a completely up to date hardy.
pads version = 1.2-7

Related branches

lp:debian/pads
Revision history for this message
Peer Janssen (peer) wrote :

Other people had memory problems with this program:

[ 1731419 ] Multiple bugs in PADS 1.2 in daemon mode under RHEL 4 (submitted 2007-06-05 14:21)
http://sourceforge.net/tracker/index.php?func=detail&aid=1731419&group_id=116419&atid=674742

[ 1974463 ] seg fault while running pads in 64 bit linux (other people had 2008-05-27 08:41)
http://sourceforge.net/tracker/index.php?func=detail&aid=1731419&group_id=116419&atid=674742

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unflagging as a security vulnerability. It seems more like a missing newline and the referenced bugs don't seem related. Please re-mark as security if there is evidence of attacker controlled memory corruption.

Revision history for this message
Edward Fjellskål (ebf0) wrote :

pads is no longer actively maintained at sourceforge.
I have forked pads, added a lot of patches and bumped the version to 1.3
Source is hosted on github: http://github.com/gamelinux/

There are also .debs here on launchpad

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pads - 1.2-11

---------------
pads (1.2-11) unstable; urgency=low

  * Update maintainer's email address
  * src/util.c:
     - Flush stdout/stderr before child process closes them, preventing a
       segfault
     - Fix the pid file code so that it does not segfault if no name is
       explicitly set
     - Make the PID file always have the children (not parent's) pid
    These changes are based on the patch provided by David J. Bianco in the
    sourceforge bug id #1731419
    (LP: #282590)
  * src/pads.c: Fix the process_cmdline funcion so that the -p option is
    properly recognised (Sourceforge bug 1267011)
  * debian/README: Indicate that the Sourceforge version is not being
    maintained
  * Lintian fixes:
     - doc/pads.8: Fix error from man by indenting apostrophe
     - debian/copyright: Point to version 2 and indicate that the license is
     "GPL version 2 or later"
 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 13 Jun 2011 09:09:15 +0000

Changed in pads (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.