Bug#952684: marked as done (cups: segfault in printers.cgi when browsing finished jobs in the cups webpage)

To: Brian Potkin <claremont102@gmail.com>
Subject: Bug#952684: marked as done (cups: segfault in printers.cgi when browsing finished jobs in the cups webpage)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 29 May 2023 18:39:08 +0000
Message-id: <[🔎] handler.952684.D952684.16853854122945963.ackdone@bugs.debian.org>
Reply-to: 952684@bugs.debian.org
References: <29052023185243.e5965c7b0604@desktop.copernicus.org.uk> <d1ffd2ae-d332-4698-e70c-11fd6fbe66dd@mailbox.org>

Your message dated Mon, 29 May 2023 18:54:42 +0100
with message-id <29052023185243.e5965c7b0604@desktop.copernicus.org.uk>
and subject line cups: segfault in printers.cgi when browsing finished jobs in the cups webpage
has caused the Debian Bug report #952684,
regarding cups: segfault in printers.cgi when browsing finished jobs in the cups webpage
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
952684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952684
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cups: segfault in printers.cgi when browsing finished jobs in the cups webpage
From: Bernhard Übelacker <bernhardu@mailbox.org>
Date: Thu, 27 Feb 2020 15:17:33 +0100
Message-id: <d1ffd2ae-d332-4698-e70c-11fd6fbe66dd@mailbox.org>

Package: cups
Version: 2.2.10-6+deb10u2
Severity: normal



Dear Maintainer,

I found today some suspicious segfault line in dmesg output and
could reproduce it every time I loaded the finished jobs of a printer
with this URL:

    http://localhost:631/printers/Samsung_CLX-3180_Series?which_jobs=completed

This is the dmesg output:

    kernel: printers.cgi[3587]: segfault at 0 ip 00007f05a859e181 sp 00007fffcf0fb678 error 4 in libc-2.28.so[7f05a8464000+148000]
    kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1

Unfortunately no core was collected by systemd-coredump, but
I could generate one manually by running it in gdb described in
attached file.

    (gdb) bt
    #0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
    #2  0x0000556d4f025055 in cgiGetArray (name=name@entry=0x7fffd550ce11 "job_name", element=element@entry=0) at var.c:171
    #3  0x0000556d4f023cdc in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=4) at template.c:299
    #4  0x0000556d4f0245fe in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=2) at template.c:348
    #5  0x0000556d4f023ee6 in cgi_copy (out=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=0 '\000', indent=indent@entry=0) at template.c:602
    #6  0x0000556d4f024977 in cgiCopyTemplateLang (tmpl=tmpl@entry=0x556d4f027091 "jobs.tmpl") at template.c:148
    #7  0x0000556d4f02206e in cgiShowJobs (http=<optimized out>, dest=0x7fffd5510ee0 "Samsung_CLX-3180_Series") at ipp-var.c:1506
    #8  0x0000556d4f01f9e6 in show_printer (printer=0x7fffd5510ee0 "Samsung_CLX-3180_Series", http=0x556d4f06c370) at printers.c:540
    #9  main () at printers.c:137

    ...
    (gdb) up
    #2  0x0000556d4f025055 in cgiGetArray (name=name@entry=0x7fffd550ce11 "job_name", element=element@entry=0) at var.c:171
    171       return (strdup(var->values[element]));

I found an upstream change that leaves cgiGetArray
if "var->values[element]" would be a NULL value [1].

This change reached bullseye/testing already, therefore
just buster/stable would be affected [2].

But I am not sure if this is the real problem as the
file /var/spool/cups/c00208 really contains a "job-name",
but no "job_name".

My guess is the "job_name" originates from /usr/share/cups/templates/de/jobs.tmpl.
Therefore might this be a internationalisation issue?

A package cups built with the patch in [1] makes the
finished jobs page load completely.

All print jobs show as name unknown ("Unbekannt"),
except some recent test pages.
Most regular prints are done from a kde environment e.g. okular.


So maybe this upstream patch is worth to be considered in stable?

And second, can someone confirm if this unknown name is an issue,
while the file in /var/spool/cups does contain a job-name?
When opening the kde print queue I get the job names - maybe it
is changed to unknown on purpose for security reasons?
In bullseye/testing the web page shows also unknown, even
when credentials were given before and test page is printed
from there. (Should this go into a separate bug?)



Kind regards,
Bernhard


[1] https://github.com/apple/cups/commit/eda46e3aac94d42e4199d95befe99ff83afb098f
    https://github.com/apple/cups/pull/5621

[2] https://sources.debian.org/src/cups/2.2.10-6+deb10u2/cgi-bin/var.c/#L171
    https://sources.debian.org/src/cups/2.3.1-11/cgi-bin/var.c/#L173








-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-7-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups depends on:
ii  cups-client            2.2.10-6+deb10u2
ii  cups-common            2.2.10-6+deb10u2
ii  cups-core-drivers      2.2.10-6+deb10u2
ii  cups-daemon            2.2.10-6+deb10u2
ii  cups-filters           1.21.6-5
ii  cups-ppdc              2.2.10-6+deb10u2
ii  cups-server-common     2.2.10-6+deb10u2
ii  debconf [debconf-2.0]  1.5.71
ii  ghostscript            9.27~dfsg-2+deb10u3
ii  libavahi-client3       0.7-4+b1
ii  libavahi-common3       0.7-4+b1
ii  libc6                  2.28-10
ii  libcups2               2.2.10-6+deb10u2
ii  libcupsimage2          2.2.10-6+deb10u2
ii  libgcc1                1:8.3.0-6
ii  libstdc++6             8.3.0-6
ii  libusb-1.0-0           2:1.0.22-2
ii  poppler-utils          0.71.0-5
ii  procps                 2:3.3.15-2

Versions of packages cups recommends:
ii  avahi-daemon                     0.7-4+b1
ii  colord                           1.4.3-4
ii  cups-filters [ghostscript-cups]  1.21.6-5
pn  printer-driver-gutenprint        <none>

Versions of packages cups suggests:
ii  cups-bsd                            2.2.10-6+deb10u2
ii  foomatic-db                         20181217-2
ii  hplip                               3.18.12+dfsg0-2
ii  printer-driver-cups-pdf [cups-pdf]  3.0.1-5
ii  printer-driver-hpcups               3.18.12+dfsg0-2
ii  smbclient                           2:4.9.5+dfsg-5+deb10u1
ii  udev                                241-7~deb10u3

-- debconf information:
* cupsys/raw-print: true
* cupsys/backend: lpd, socket, usb, snmp, dnssd


# Buster/stable amd64 real hardware 2020-02-27



http://localhost:631/printers/Samsung_CLX-3180_Series?which_jobs=completed

"Beendete Aufträge" ("Finished Jobs")



dmesg:
Feb 27 11:31:40 rechner kernel: printers.cgi[3587]: segfault at 0 ip 00007f05a859e181 sp 00007fffcf0fb678 error 4 in libc-2.28.so[7f05a8464000+148000]
Feb 27 11:31:40 rechner kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1


pidof cupsd
gdb -q

set width 0
set pagination off
maint set target-non-stop off
set follow-fork-mode child
attach 20199
cont
generate-core-file /coredumps/2020-02-27_cups-printer.cgi.4160


# not yet available? "set follow-fork-mode ask"
# without "maint set target-non-stop off": /build/gdb-EbRs5Y/gdb-8.2.1/gdb/nat/x86-linux-dregs.c:146: internal-error: void x86_linux_update_debug_registers(lwp_info*): Assertion `lwp_is_stopped (lwp)' failed.







Thread 2.1 "printers.cgi" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f02b94fca00 (LWP 4160)]
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65      ../sysdeps/x86_64/multiarch/strlen-avx2.S: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
#2  0x0000556d4f023cdc in ?? ()
#3  0x0000556d4f0245fe in ?? ()
#4  0x0000556d4f023ee6 in ?? ()
#5  0x0000556d4f024977 in ?? ()
#6  0x0000556d4f02206e in ?? ()
#7  0x0000556d4f01f9e6 in ?? ()
#8  0x00007f02ba4a209b in __libc_start_main (main=0x556d4f01f680, argc=2, argv=0x7fffd5510498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffd5510488) at ../csu/libc-start.c:308
#9  0x0000556d4f0200fa in ?? ()
(gdb) generate-core-file /coredumps/2020-02-27_cups-printer.cgi.4160
warning: target file /proc/4160/cmdline contained unexpected null characters
Saved corefile /coredumps/2020-02-27_cups-printer.cgi.4160
(gdb) detach
Detaching from program: /usr/lib/cups/cgi-bin/printers.cgi, process 4160
[Inferior 2 (process 4160) detached]





$ ps aux | grep printer
lp        4160  0.0  0.0  19468  6980 ?        t    11:44   0:00 /usr/lib/cups/cgi-bin/printers.cgi which_jobs=completed







Showing unknown (Unbekannt):

# cat /var/spool/cups/c00208 | hexdump -C
00000000  02 00 00 05 00 00 00 04  01 47 00 12 61 74 74 72  |.........G..attr|
00000010  69 62 75 74 65 73 2d 63  68 61 72 73 65 74 00 05  |ibutes-charset..|
00000020  75 74 66 2d 38 48 00 1b  61 74 74 72 69 62 75 74  |utf-8H..attribut|
00000030  65 73 2d 6e 61 74 75 72  61 6c 2d 6c 61 6e 67 75  |es-natural-langu|
00000040  61 67 65 00 05 64 65 2d  64 65 02 45 00 0b 70 72  |age..de-de.E..pr|
00000050  69 6e 74 65 72 2d 75 72  69 00 30 69 70 70 3a 2f  |inter-uri.0ipp:/|
00000060  2f 6c 6f 63 61 6c 68 6f  73 74 2f 70 72 69 6e 74  |/localhost/print|
00000070  65 72 73 2f 53 61 6d 73  75 6e 67 5f 43 4c 58 2d  |ers/Samsung_CLX-|
00000080  33 31 38 30 5f 53 65 72  69 65 73 42 00 19 6a 6f  |3180_SeriesB..jo|
00000090  62 2d 6f 72 69 67 69 6e  61 74 69 6e 67 2d 75 73  |b-originating-us|
000000a0  65 72 2d 6e 61 6d 65 00  08 62 65 72 6e 68 61 72  |er-name..bernhar|
000000b0  64 42 00 08 6a 6f 62 2d  6e 61 6d 65 00 23 4a 61  |dB..job-name.#Ja|  "job-name", but with dash instead underscore ?  0x23 -> 35 characters?
000000c0  68 72 65 73 68 61 75 70  74 76 65 72 73 61 6d 6d  |hreshauptversamm|
000000d0  6c 75 6e 67 5f 34 61 75  66 41 34 78 31 2e 70 64  |lung_4aufA4x1.pd|
000000e0  66 22 00 07 43 6f 6c 6c  61 74 65 00 01 01 21 00  |f"..Collate...!.|
000000f0  06 63 6f 70 69 65 73 00  04 00 00 00 0c 23 00 0a  |.copies......#..|
00000100  66 69 6e 69 73 68 69 6e  67 73 00 04 00 00 00 03  |finishings......|
...


Showing job_name "Test Page" in the web page:

# cat /var/spool/cups/c00205 | hexdump -C 
00000000  02 00 00 05 00 00 00 05  01 47 00 12 61 74 74 72  |.........G..attr|
00000010  69 62 75 74 65 73 2d 63  68 61 72 73 65 74 00 05  |ibutes-charset..|
00000020  75 74 66 2d 38 48 00 1b  61 74 74 72 69 62 75 74  |utf-8H..attribut|
00000030  65 73 2d 6e 61 74 75 72  61 6c 2d 6c 61 6e 67 75  |es-natural-langu|
00000040  61 67 65 00 02 64 65 02  45 00 0b 70 72 69 6e 74  |age..de.E..print|
00000050  65 72 2d 75 72 69 00 38  69 70 70 3a 2f 2f 72 65  |er-uri.8ipp://re|
00000060  63 68 6e 65 72 2e 6c 6f  63 61 6c 3a 36 33 31 2f  |chner.local:631/|
00000070  70 72 69 6e 74 65 72 73  2f 53 61 6d 73 75 6e 67  |printers/Samsung|
00000080  5f 43 4c 58 2d 33 31 38  30 5f 53 65 72 69 65 73  |_CLX-3180_Series|
00000090  42 00 19 6a 6f 62 2d 6f  72 69 67 69 6e 61 74 69  |B..job-originati|
000000a0  6e 67 2d 75 73 65 72 2d  6e 61 6d 65 00 09 61 6e  |ng-user-name..an|
000000b0  6f 6e 79 6d 6f 75 73 42  00 08 6a 6f 62 2d 6e 61  |onymousB..job-na|
000000c0  6d 65 00 09 54 65 73 74  20 50 61 67 65 21 00 06  |me..Test Page!..|  "job-name", followed by "00 09". 0x09 -> number of characters?
000000d0  63 6f 70 69 65 73 00 04  00 00 00 01 22 00 0c 63  |copies......"..c|





#######




# for analyzing the core file

# Buster/stable amd64 qemu VM

apt update
apt dist-upgrade

apt install systemd-coredump xserver-xorg sddm openbox xterm firefox-esr fakeroot gdb cups cups-dbgsym
apt build-dep cups





mkdir /home/benutzer/source/cups/orig -p
cd    /home/benutzer/source/cups/orig
apt source cups
cd





$ gdb -q --core 2020-02-27_cups-printer.cgi.4160
[New LWP 4160]
Core was generated by `/usr/lib/cups/cgi-bin/printers.cgi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f02ba5da181 in ?? ()
(gdb) q


$ gdb -q /usr/lib/cups/cgi-bin/printers.cgi --core 2020-02-27_cups-printer.cgi.4160
Reading symbols from /usr/lib/cups/cgi-bin/printers.cgi...(no debugging symbols found)...done.
[New LWP 4160]

warning: .dynamic section for "/usr/lib/x86_64-linux-gnu/libidn2.so.0" is not at the expected address (wrong library or version mismatch?)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/cups/cgi-bin/printers.cgi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65      ../sysdeps/x86_64/multiarch/strlen-avx2.S: Datei oder Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
#2  0x0000556d4f023cdc in ?? ()
#3  0x0000556d4f0245fe in ?? ()
#4  0x0000556d4f023ee6 in ?? ()
#5  0x0000556d4f024977 in ?? ()
#6  0x0000556d4f02206e in ?? ()
#7  0x0000556d4f01f9e6 in ?? ()
#8  0x00007f02ba4a209b in __libc_start_main (main=0x556d4f01f680, argc=2, argv=0x7fffd5510498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffd5510488) at ../csu/libc-start.c:308
#9  0x0000556d4f0200fa in ?? ()
(gdb) q




$ gdb -q /usr/lib/cups/cgi-bin/printers.cgi --core 2020-02-27_cups-printer.cgi.4160
Reading symbols from /usr/lib/cups/cgi-bin/printers.cgi...Reading symbols from /usr/lib/debug/.build-id/f2/da8c3c2ab95bc3fd62cfdfdb7d22b155e92e05.debug...done.
done.
[New LWP 4160]

warning: .dynamic section for "/usr/lib/x86_64-linux-gnu/libidn2.so.0" is not at the expected address (wrong library or version mismatch?)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/cups/cgi-bin/printers.cgi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65      ../sysdeps/x86_64/multiarch/strlen-avx2.S: Datei oder Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/source/cups/orig/cups-2.2.10/cgi-bin
Source directories searched: /home/benutzer/source/cups/orig/cups-2.2.10/cgi-bin:$cdir:$cwd
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
#2  0x0000556d4f025055 in cgiGetArray (name=name@entry=0x7fffd550ce11 "job_name", element=element@entry=0) at var.c:171
#3  0x0000556d4f023cdc in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=4) at template.c:299
#4  0x0000556d4f0245fe in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=2) at template.c:348
#5  0x0000556d4f023ee6 in cgi_copy (out=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=0 '\000', indent=indent@entry=0) at template.c:602
#6  0x0000556d4f024977 in cgiCopyTemplateLang (tmpl=tmpl@entry=0x556d4f027091 "jobs.tmpl") at template.c:148
#7  0x0000556d4f02206e in cgiShowJobs (http=<optimized out>, dest=0x7fffd5510ee0 "Samsung_CLX-3180_Series") at ipp-var.c:1506
#8  0x0000556d4f01f9e6 in show_printer (printer=0x7fffd5510ee0 "Samsung_CLX-3180_Series", http=0x556d4f06c370) at printers.c:540
#9  main () at printers.c:137


(gdb) bt full
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
No locals.
#1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
        len = <optimized out>
        new = <optimized out>
#2  0x0000556d4f025055 in cgiGetArray (name=name@entry=0x7fffd550ce11 "job_name", element=element@entry=0) at var.c:171
        var = <optimized out>
#3  0x0000556d4f023cdc in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=4) at template.c:299
        ch = <optimized out>
        op = <optimized out>
        name = "?job_name\000r_name\000rted\000\000\000\220\205\006OmU\000\000 \317P\325\377\177\000\000\001\t\002OmU\000\000\000\000\000\000\000\000\000\000\027\000\000\000\000\000\000\000h\r\000\000\030\000\000\000P\225\aOmU\000\000`\252\005OmU\000\000\000\220\005OmU\000\000\300\220\005OmU\000\000@\217\005OmU\000\000\300\223\005OmU\000\000\200\216\005OmU\000\000@\231\005OmU\000\000\000\254\005OmU\000\000`\261\005OmU\000\000 \a\aOmU\000\000\340\005\aOmU\000\000\240\260\005OmU\000\000\200\002\aOmU\000\000\320S\bOmU\000\000\340\257\005OmU\000\000"...
        nameptr = 0x0
        innername = "\240\266\005OmU\000\000\340\265\005OmU\000\000\207(\255\373\000\000\000\000\244\tM\272\002\177\000\000\340\026e\272\002\177\000\000\200\246c\272\002\177", '\000' <repeats 18 times>, "\004\200\255\373\000\000\000\000#u\002OmU\000\000\000\000\000\000\000\000\000\000+u\002OmU\000\000P\320P\325\377\177\000\000\244\320P\325\377\177\000\000P\360P\325\377\177", '\000' <repeats 58 times>, "\002\000\000\000\004\000\000\000\260\177\002OmU\000\000\002", '\000' <repeats 15 times>...
        innerptr = <optimized out>
        s = <optimized out>
        value = <optimized out>
        innerval = <optimized out>
        outptr = <optimized out>
        outval = "\000\377\377\377", '\000' <repeats 20 times>, "`Wc\272\002\177\000\000\001", '\000' <repeats 24 times>, "\326P\325\377\177\000\000\360\325P\325\377\177\000\000\005\000\000\000\000\000\000\000\200\327P\325\377\177\000\000\345|\002OmU\000\000\240_c\272\002\177\000\000\022\341L\272\002\177\000\000tes/de/printer-jobs-header.t", '\000' <repeats 20 times>, "\320\321P\325\377\177\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000\001", '\000' <repeats 31 times>...
        compare = "\000obs\000\177\000\000\001\000\000\000\000\000\000\000\377\377\377\377", '\000' <repeats 12 times>, "\377\377\377\377etVa`Wc\272\002\177\000\000\200\246c\272\002\177\000\000`Wc\272\002\177\000\000\200\246c\272\002\177\000\000\000\325b\344\025\257\000\061cgiSetVa\200\246c\272\002\177\000\000\004\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000\220\347P\325\377\177\000\000\220\205\006OmU\000\000\001\000\000\000\000\000\000\000\066eX\272\002\177\000\000\060\000\000\000\060\000\000\000\230\325P\325\377\177\000\000\300\324P\325\377\177\000\000\000\325b\344\025\257\000\061\320\324P\325\377\177\000\000\275\223O\272\002\177\000\000ent_el=0"...
        result = <optimized out>
        uriencode = 0
        re = {buffer = 0x556d4f07ad30, allocated = 3531014616419325184, used = 93927965698976, syntax = 93927965623696, fastmap = 0x0, translate = 0x0, re_nsub = 140736772238774, can_be_null = 0, regs_allocated = 2, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol = 0, newline_anchor = 0}
#4  0x0000556d4f0245fe in cgi_copy (out=out@entry=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=125 '}', indent=indent@entry=2) at template.c:348
        i = <optimized out>
        pos = 207
        count = 100
        ch = <optimized out>
        op = <optimized out>
        name = "[job_id\000OBS\000e", '\000' <repeats 107 times>, "\020\334P\325\377\177\000\000\200\340P\325\377\177\000\000\000\000\000\000\000\000\000\000^[I\272\002\177\000\000\020:o\272\002\177\000\000\000\000\000\000\000\000\000\000\222\022u\272\002\177\000\000\000\000\000\000\000\000\000\000/+[\272\002\177\000\000@\341P\325\377\177\000\000\000"...
        nameptr = <optimized out>
        innername = "\002\000\000\000\000\000\000\000\262\336L\272\002\177\000\000\002\000\000\000\000\000\000\000\262\336L\272\002\177\000\000\000\000\000\000\000\000\000\000p\371\006OmU\000\000\001\000\000\000\000\000\000\000\005\353.\276\001\000\000\000\000\000\000\000mU\000\000\000\000\000\000\000\000\000\000\005\353\064\\_\355¯\000\325b\344\025\257\000\061", '\000' <repeats 17 times>, "\273\006OmU\000\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000`\371\006OmU\000\000\000\000\000\000\000\000\000\000\332fu\272\002\177\000\000\002\000\000\000mU\000\000 \177\002OmU\000\000\002\000\000\000\377\177\000\000\260\177\002OmU\000\000\002\000\000\000\000\000\000\000x"...
        innerptr = <optimized out>
        s = <optimized out>
        value = <optimized out>
        innerval = <optimized out>
        outptr = <optimized out>
        outval = "\000PREV}\000\000\340\265\006OmU\000\000\020\333P\325\377\177\000\000\000\000\000\000\000\000\000\000\001", '\000' <repeats 23 times>, " \341P\325\377\177\000\000\020\341P\325\377\177\000\000\005\000\000\000\000\000\000\000\240\342P\325\377\177\000\000\345|\002OmU\000\000\000\000\000\000\000\000\000\000\022\341L\272\002\177\000\000\360\332P\325\377\177\000\000`\341P\325\377\177\000\000P\341P\325\377\177\000\000\003\000\000\000\000\000\000\000\240\342P\325\377\177\000\000\344w\002OmU\000\000 dc\272\002\177\000\000\022\341L\272\002\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000d", '\000' <repeats 27 times>...
        compare = "0\000bs listed in ascending order.\000\344\340P\325\377\177\000\000\000\341P\325\377\177\000\000\002\000\000\000\004\000\000\000\000\325b\344\025\257\000\061\000\000\000\000\000\000\000\000\000\325b\344\025\257\000\061\004\000\000\000\000\000\000\000\200\246c\272\002\177\000\000\002", '\000' <repeats 15 times>, "\260\362P\325\377\177\000\000\220\205\006OmU\000\000\001\000\000\000\000\000\000\000\066eX\272\002\177\000\000\060\000\000\000\060\000\000\000\270\340P\325\377\177\000\000\340\337P\325\377\177\000\000\000\325b\344\025\257\000\061\360\337P\325\377\177\000\000\000\325b\344\025\257\000\061\066u\002OmU\000\000"...
        result = <optimized out>
        uriencode = <optimized out>
        re = {buffer = 0x0, allocated = 0, used = 0, syntax = 0, fastmap = 0x0, translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol = 0, newline_anchor = 0}
#5  0x0000556d4f023ee6 in cgi_copy (out=0x7f02ba63a760 <_IO_2_1_stdout_>, in=in@entry=0x556d4f068590, element=element@entry=0, term=term@entry=0 '\000', indent=indent@entry=0) at template.c:602
        ch = <optimized out>
        op = 61 '='
        name = "#job_id\000obs\000\000U\000\000\000\000\000\000\002\177\000\000\260\354P\325\377\177\000\000\000\000\000\000\002\177\000\000\351\377\377\377\025\257\000\061\000\000\000\000\000\000\000\000`Wc\272\002\177\000\000h\r\000\000\000\000\000\000\343|\002OmU\000\000\002\000\000\000\000\000\000\000\342|\002OmU\000\000 \376\006OmU\000\000\346|\002OmU\000\000\000\252O\272\002\177\000\000\000\325b\344\025\257\000\061\000\000\000\000\000\000\000\000\220\205\006OmU\000\000\000\000\000\000\000\000\000\000\240bc\272\002\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000 \376\006OmU\000\000\201\330N\272\002\177\000\000\200\260\002OmU\000\000\000"...
        nameptr = <optimized out>
        innername = "p\354P\325\377\177\000\000!\351l\272\002\177\000\000\240_c\272\002\177\000\000\022\341L\272\002\177\000\000\200\260\002OmU\000\000\214\346P\325\377\177\000\000w\002", '\000' <repeats 26 times>, "\025\257\000\061\300\346P\325\377\177\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000\001", '\000' <repeats 15 times>, "\n\000\000\000mU\000\000 \377\377\377\377\377\377\377\250\352P\325\377\177\000\000\003\000\000\000@\000\000\000\003", '\000' <repeats 15 times>, "`Wc\272\002\177\000\000h\r\000\000\000\000\000\000\037\351l\272\002\177\000\000\002\000\000\000\000\000\000\000"...
        innerptr = <optimized out>
        s = <optimized out>
        value = <optimized out>
        innerval = <optimized out>
        outptr = <optimized out>
        outval = "100\000V}\000\000\210\270O\272\002\177\000\000\000\000\000\000\000\000\000\000\020\353P\325\377\177\000\000\017\000\000\000\000\004\000\000\060\354P\325\377\177\000\000 \354P\325\377\177\000\000&\000\000\000\000\000\000\000\260\355P\325\377\177\000\000Y}\002OmU\000\000\240_c\272\002\177\000\000\022\341L\272\002\177\000\000\310\003", '\000' <repeats 14 times>, "\a\000\000\000\000\000\000\000\320\003", '\000' <repeats 18 times>, "mU\000\000\000\350P\325\377\177\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000\003", '\000' <repeats 11 times>, "?\000\000\000\001", '\000' <repeats 15 times>...
        compare = "0\000l\000leted\000c\272\002\177\000\000\220\205\006OmU\000\000\343#P\272\002\177", '\000' <repeats 11 times>, "\020\000\000\000\000\000\000\220\205\006OmU\000\000\220\205\006OmU\000\000\000\020\000\000\000\000\000\000:\327N\272\002\177\000\000\022\b\000\000\000\066\063\061\000\325b\344\025\257\000\061\360\352P\325\377\177\000\000\210\270O\272\002\177\000\000\000\000\000\000\000\000\000\000\036\351l\272\002\177\000\000\000\000\000\000\000\000\000\000\220\360P\325\377\177\000\000\200\360P\325\377\177\000\000\240\360P\325\377\177\000\000\220\360P\325\377\177\000\000\003\000\000\000\000\000\000\000 \362P\325\377\177\000\000\344w\002OmU\000\000\240_c\272\002\177\000\000"...
        result = <optimized out>
        uriencode = <optimized out>
        re = {buffer = 0x556d4f068590, allocated = 140736772237696, used = 140736772237680, syntax = 24, fastmap = 0x7fffd550eb00 " \362P\325\377\177", translate = 0x556d4f027ce5 "}", re_nsub = 139649693736864, can_be_null = 0, regs_allocated = 1, fastmap_accurate = 0, no_sub = 1, not_bol = 0, not_eol = 0, newline_anchor = 0}
#6  0x0000556d4f024977 in cgiCopyTemplateLang (tmpl=tmpl@entry=0x556d4f027091 "jobs.tmpl") at template.c:148
        filename = "/usr/share/cups/templates/de/jobs.tmpl\000\000.tmpl\000\000\000p\360P\325\377\177\000\000\006\000\000\000\000\000\000\000\220\362P\325\377\177\000\000\300\230\aOmU\000\000\006\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\020\367P\325\377\177\000\000\030", '\000' <repeats 15 times>, "loK\272\002\177\000\000`K\002OmU\000\000\000\000\000\000\000\000\000\000\220\362P\325\377\177\000\000\060\230\aOmU\000\000\270\360P\325\377\177\000\000\f\000\000\000\000\000\000\000\220\362P\325\377\177\000\000\060\230\aOmU\000\000\f\000\000\000\000\000\000\000"...
        locale = "/de\000UTF8\000\000\000\000\000\000\000"
        locptr = <optimized out>
        directory = 0x556d4f02b4a0 <templates> "/usr/share/cups/templates"
        lang = <optimized out>
        in = 0x556d4f068590
#7  0x0000556d4f02206e in cgiShowJobs (http=<optimized out>, dest=0x7fffd5510ee0 "Samsung_CLX-3180_Series") at ipp-var.c:1506
        i = <optimized out>
        which_jobs = <optimized out>
        request = <optimized out>
        response = 0x556d4f07af60
        jobs = 0x556d4f09ab40
        job = <optimized out>
        first = <optimized out>
        count = 175
        var = <optimized out>
        query = <optimized out>
        section = 0x556d4f05ba60 "printers"
        search = <optimized out>
        url = "ipp://localhost:631/printers/Samsung_CLX-3180_Series\000\177\000\000\020AO\271\002\177\000\000\240\363P\325\377\177\000\000\227BO\271\002\177\000\000\240\363P\325\377\177\000\000FWO\271\002\177\000\000\006\000\000\000\000\000\000\000\240\363P\325\377\177\000\000\001\000\000\000\a\000\000\000 \277c\272\002\177\000\000P\364P\325\377\177\000\000\200\311O\271\002\177\000\000\000\000\001\000\001", '\000' <repeats 148 times>...
        val = "100\000nters/Samsung_CLX-3180_Series\000er-jobs-header.tmpl\000\000\000\006\000\000\000\000\000\000\000p\373P\325\377\177\000\000\030", '\000' <repeats 15 times>, "loK\272\002\177\000\000`K\002OmU\000\000\000\000\000\000\000\000\000\000\340\372P\325\377\177\000\000\060\230\aOmU\000\000\340\370P\325\377\177\000\000\061gT\272\002\177\000\000\000\000\000\000\000\000\000\000\060\230\aOmU\000\000\r\000\000\000\000\000\000\000\000\325b\344\025\257\000\061p\373P\325\377\177\000\000\000\370P\325\377\177\000\000P\371P\325\377\177\000\000"...
#8  0x0000556d4f01f9e6 in show_printer (printer=0x7fffd5510ee0 "Samsung_CLX-3180_Series", http=0x556d4f06c370) at printers.c:540
        request = <optimized out>
        refresh = "/printers/Samsung_CLX-3180_Series\000O\272\002\177\000\000H\003Q\325\377\177\000\000\027", '\000' <repeats 15 times>, "\060\063\n\000\000\000\000\000\000\000\000\000\001\000\000\000\360\377P\325\377\177\000\000\000\000Q\325\377\177\000\000\360\324v\272\002\177\000\000\200\037\000\000\377\377\002\000\002\000\000\000\000\000\000\000\230\004Q\325\377\177\000\000\260\004Q\325\377\177\000\000ثe\272\002\177", '\000' <repeats 11 times>, "+u\272\002\177\000\000\001", '\000' <repeats 43 times>...
        response = 0x556d4f070810
        attr = <optimized out>
        uri = "ipp://localhost/printers/Samsung_CLX-3180_Series\000\000\000\000\000\000\000\000 Do\272\002\177\000\000\200\373P\325\377\177\000\000\006\026u\272\002\177\000\000\001\000\000\000\000\000\000\000\020?o\272\002\177\000\000\240\373P\325\377\177\000\000\006\026u\272\002\177\000\000\001\000\000\000\000\000\000\000\020:o\272\002\177\000\000\300\373P\325\377\177\000\000\006\026u\272\002\177\000\000\001\000\000\000\000\000\000\000\020\065o\272\002\177\000\000\340\373P\325\377\177\000\000\006\026u\272\002\177\000\000\001\000\000\000\000\000\000\000\000\060o\272\002\177\000\000\000\374P\325\377\177\000\000"...
        request = <optimized out>
        response = <optimized out>
        attr = <optimized out>
        uri = <optimized out>
        refresh = <optimized out>
#9  main () at printers.c:137
        printer = 0x7fffd5510ee0 "Samsung_CLX-3180_Series"
        user = <optimized out>
        http = 0x556d4f06c370
        request = <optimized out>
        response = <optimized out>
        attr = <optimized out>
        op = <optimized out>
        def_attrs = {0x556d4f0270f2 "printer-name", 0x556d4f02710c "printer-uri-supported"}




(gdb) up
#1  0x00007f02ba505dae in __GI___strdup (s=0x0) at strdup.c:41
41      strdup.c: Datei oder Verzeichnis nicht gefunden.
(gdb) 
#2  0x0000556d4f025055 in cgiGetArray (name=name@entry=0x7fffd550ce11 "job_name", element=element@entry=0) at var.c:171
warning: Source file is more recent than executable.
171       return (strdup(var->values[element]));
(gdb) print element
$1 = 0
(gdb) print var->values
value has been optimized out
(gdb) print name
$2 = 0x7fffd550ce11 "job_name"

(gdb) list var.c:153,172
153
154     /*
155      * 'cgiGetArray()' - Get an element from a form array.
156      */
157
158     const char *                            /* O - Element value or NULL */
159     cgiGetArray(const char *name,           /* I - Name of array variable */
160                 int        element)         /* I - Element number (0 to N) */
161     {
162       _cgi_var_t    *var;                   /* Pointer to variable */
163
164
165       if ((var = cgi_find_variable(name)) == NULL)
166         return (NULL);
167
168       if (element < 0 || element >= var->nvalues)
169         return (NULL);
170
171       return (strdup(var->values[element]));
172     }





https://sources.debian.org/src/cups/2.2.10-6+deb10u2/cgi-bin/var.c/#L171

https://sources.debian.org/src/cups/2.3.1-11/cgi-bin/var.c/#L173

https://github.com/apple/cups/commit/eda46e3aac94d42e4199d95befe99ff83afb098f
https://github.com/apple/cups/pull/5621












cp orig try1 -a
cd try1/cups-2.2.10/
wget "https://github.com/apple/cups/commit/eda46e3aac94d42e4199d95befe99ff83afb098f.patch"; -O debian/patches/eda46e3aac94d42e4199d95befe99ff83afb098f.patch
echo "eda46e3aac94d42e4199d95befe99ff83afb098f.patch" >> debian/patches/series
dpkg-buildpackage -uc


dpkg -i cups_2.2.10-6+deb10u2_amd64.deb cups-bsd_2.2.10-6+deb10u2_amd64.deb cups-client_2.2.10-6+deb10u2_amd64.deb cups-common_2.2.10-6+deb10u2_all.deb cups-core-drivers_2.2.10-6+deb10u2_amd64.deb cups-daemon_2.2.10-6+deb10u2_amd64.deb cups-ipp-utils_2.2.10-6+deb10u2_amd64.deb cups-ppdc_2.2.10-6+deb10u2_amd64.deb cups-server-common_2.2.10-6+deb10u2_all.deb libcups2_2.2.10-6+deb10u2_amd64.deb libcupsimage2_2.2.10-6+deb10u2_amd64.deb

--- End Message ---

--- Begin Message ---

To: 952684-done@bugs.debian.org

Subject: cups: segfault in printers.cgi when browsing finished jobs in the cups webpage

From: Brian Potkin <claremont102@gmail.com>

Date: Mon, 29 May 2023 18:54:42 +0100

Message-id: <29052023185243.e5965c7b0604@desktop.copernicus.org.uk>
>From the information provided by the reporter, I think it is intended
that this report be closed.

Cheers,

Brian.
--- End Message ---

Reply to:

Prev by Date: Processed: cups: “Cannot assign requested address” on VPS after hibernation
Next by Date: Debian Packages for the New Architecture
Previous by thread: Processed: cups: “Cannot assign requested address” on VPS after hibernation
Next by thread: Debian Packages for the New Architecture
Index(es):
- Date
- Thread