Debian Bug report logs - #961345
cups: daemon crashes with invalid free()

Package: cups; Maintainer for cups is Debian Printing Team <debian-printing@lists.debian.org>; Source for cups is src:cups (PTS, buildd, popcon).

Reported by: Peter Krefting <peter@softwolves.pp.se>

Date: Sat, 23 May 2020 14:00:02 UTC

Severity: normal

Tags: upstream

Found in versions cups/2.2.10-6+deb10u3, 2.3.3-1~bpo10+1

Fixed in versions 2.3.3op1-1, cups/2.2.10-6+deb10u4

Done: Didier Raboud <odyx@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/apple/cups/issues/5826

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Sat, 23 May 2020 14:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Peter Krefting <peter@softwolves.pp.se>:
New Bug report received and forwarded. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Sat, 23 May 2020 14:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: cups
Version: 2.2.10-6+deb10u3
Severity: normal

After upgrading to Debian 10, the CUPS daemon keeps crashing when I try to
print. This did not happen with the version in Debian 9.

$ journalctl -u cups
-- Logs begin at Thu 2020-05-21 14:59:37 CET, end at Sat 2020-05-23 14:52:11 CET. --
maj 21 14:59:38 perkele systemd[1]: Started CUPS Scheduler.
maj 21 19:47:12 perkele cupsd[931]: free(): invalid pointer
maj 21 19:47:12 perkele systemd[1]: cups.service: Main process exited, code=killed, status=6/ABRT
maj 21 19:47:12 perkele systemd[1]: cups.service: Failed with result 'signal'.
maj 21 19:47:13 perkele systemd[1]: cups.service: Service RestartSec=100ms expired, scheduling restart.
maj 21 19:47:13 perkele systemd[1]: cups.service: Scheduled restart job, restart counter is at 1.
maj 21 19:47:13 perkele systemd[1]: Stopped CUPS Scheduler.
maj 21 19:47:13 perkele systemd[1]: Started CUPS Scheduler.
maj 21 23:00:06 perkele systemd[1]: Stopping CUPS Scheduler...
maj 21 23:00:06 perkele systemd[1]: cups.service: Succeeded.
maj 21 23:00:06 perkele systemd[1]: Stopped CUPS Scheduler.
maj 21 23:00:06 perkele systemd[1]: Started CUPS Scheduler.
maj 22 23:00:07 perkele systemd[1]: Stopping CUPS Scheduler...
maj 22 23:00:07 perkele systemd[1]: cups.service: Succeeded.
maj 22 23:00:07 perkele systemd[1]: Stopped CUPS Scheduler.
maj 22 23:00:07 perkele systemd[1]: Started CUPS Scheduler.
maj 23 14:46:08 perkele cupsd[32076]: free(): invalid pointer
maj 23 14:46:08 perkele systemd[1]: cups.service: Main process exited, code=killed, status=6/ABRT
maj 23 14:46:38 perkele systemd[1]: cups.service: Failed with result 'signal'.
maj 23 14:46:39 perkele systemd[1]: cups.service: Service RestartSec=100ms expired, scheduling restart.
maj 23 14:46:39 perkele systemd[1]: cups.service: Scheduled restart job, restart counter is at 1.
maj 23 14:46:39 perkele systemd[1]: Stopped CUPS Scheduler.
maj 23 14:46:39 perkele systemd[1]: Started CUPS Scheduler.
maj 23 14:47:35 perkele cupsd[5698]: free(): invalid pointer
maj 23 14:47:35 perkele systemd[1]: cups.service: Main process exited, code=killed, status=6/ABRT
maj 23 14:47:35 perkele systemd[1]: cups.service: Failed with result 'signal'.
maj 23 14:47:35 perkele systemd[1]: cups.service: Service RestartSec=100ms expired, scheduling restart.
maj 23 14:47:35 perkele systemd[1]: cups.service: Scheduled restart job, restart counter is at 2.
maj 23 14:47:35 perkele systemd[1]: Stopped CUPS Scheduler.
maj 23 14:47:35 perkele systemd[1]: Started CUPS Scheduler.
maj 23 14:47:38 perkele cupsd[5797]: free(): invalid pointer
maj 23 14:47:38 perkele systemd[1]: cups.service: Main process exited, code=killed, status=6/ABRT
maj 23 14:48:02 perkele systemd[1]: cups.service: Failed with result 'signal'.
maj 23 14:48:03 perkele systemd[1]: cups.service: Service RestartSec=100ms expired, scheduling restart.
maj 23 14:48:03 perkele systemd[1]: cups.service: Scheduled restart job, restart counter is at 3.
maj 23 14:48:03 perkele systemd[1]: Stopped CUPS Scheduler.
maj 23 14:48:03 perkele systemd[1]: Started CUPS Scheduler.
maj 23 14:49:12 perkele cupsd[5838]: free(): invalid pointer
maj 23 14:49:12 perkele systemd[1]: cups.service: Main process exited, code=killed, status=6/ABRT
maj 23 14:50:42 perkele systemd[1]: cups.service: State 'stop-sigterm' timed out. Killing.
maj 23 14:50:42 perkele systemd[1]: cups.service: Killing process 5845 (pdftops) with signal SIGKILL.
maj 23 14:50:42 perkele systemd[1]: cups.service: Killing process 5846 (http) with signal SIGKILL.
maj 23 14:50:42 perkele systemd[1]: cups.service: Killing process 5850 (pstops) with signal SIGKILL.
maj 23 14:50:42 perkele systemd[1]: cups.service: Failed with result 'signal'.
maj 23 14:50:42 perkele systemd[1]: cups.service: Service RestartSec=100ms expired, scheduling restart.
maj 23 14:50:42 perkele systemd[1]: cups.service: Scheduled restart job, restart counter is at 4.
maj 23 14:50:42 perkele systemd[1]: Stopped CUPS Scheduler.
maj 23 14:50:42 perkele systemd[1]: Started CUPS Scheduler.
$ cupsctl
_debug_logging=0
_remote_admin=0
_remote_any=0
_share_printers=0
_user_cancel_any=0
BrowseLocalProtocols=dnssd
DefaultAuthType=Basic
JobPrivateAccess=default
JobPrivateValues=default
MaxLogSize=0
SubscriptionPrivateAccess=default
SubscriptionPrivateValues=default
WebInterface=Yes

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=sv, LC_CTYPE=sv (charmap=UTF-8) (ignored: LC_ALL set to sv_SE.utf8), LANGUAGE=sv_SE.utf8:sv:nb_NO.utf8:nb:da_DK.utf8:da:nn_NO.utf8:nn:en_GB.utf8:en_US.utf8:en (charmap=UTF-8) (ignored: LC_ALL set to sv_SE.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.2.10-6+deb10u3
ii  cups-common            2.2.10-6+deb10u3
ii  cups-core-drivers      2.2.10-6+deb10u3
ii  cups-daemon            2.2.10-6+deb10u3
ii  cups-filters           1.21.6-5
ii  cups-ppdc              2.2.10-6+deb10u3
ii  cups-server-common     2.2.10-6+deb10u3
ii  debconf [debconf-2.0]  1.5.71
ii  ghostscript            9.27~dfsg-2+deb10u3
ii  libavahi-client3       0.7-4+b1
ii  libavahi-common3       0.7-4+b1
ii  libc6                  2.28-10
ii  libcups2               2.2.10-6+deb10u3
ii  libcupsimage2          2.2.10-6+deb10u3
ii  libgcc1                1:8.3.0-6
ii  libstdc++6             8.3.0-6
ii  libusb-1.0-0           2:1.0.22-2
ii  poppler-utils          0.71.0-5
ii  procps                 2:3.3.15-2

Versions of packages cups recommends:
ii  avahi-daemon                     0.7-4+b1
ii  colord                           1.4.3-4
ii  cups-filters [ghostscript-cups]  1.21.6-5
ii  printer-driver-gutenprint        5.3.1-7

Versions of packages cups suggests:
ii  cups-bsd                                   2.2.10-6+deb10u3
pn  cups-pdf                                   <none>
ii  foomatic-db-compressed-ppds [foomatic-db]  20181217-2
ii  hplip                                      3.18.12+dfsg0-2
ii  printer-driver-hpcups                      3.18.12+dfsg0-2
pn  smbclient                                  <none>
ii  udev                                       241-7~deb10u4

-- debconf information:
  cupsys/raw-print: true
  cupsys/backend: lpd, socket, usb, snmp, dnssd

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Mon, 25 May 2020 09:12:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Mon, 25 May 2020 09:12:02 GMT) (full text, mbox, link).

Message #10 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Peter,
I am not involved in packaging cups, just trying to help
to collect some information.

If possible you could install the package systemd-coredump.
Then in the journal might then appear additional information
where the problem occoured, that could help identifying the issue.

Kind regards,
Bernhard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Tue, 07 Jul 2020 11:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 07 Jul 2020 11:45:04 GMT) (full text, mbox, link).

Message #15 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: cups
Version: 2.3.3-1~bpo10+1
Followup-For: Bug #961345

Dear Maintainer,

I'm running the Testing version of cups recompiled for Buster. I'm seeing the
same "invalid pointer" issue as the reporter.

Backtrace for a coredump is below. Please let me know if there's any other
information I can provide in order to help get a solution for this issue. It's
disrupting our printing significantly:

root@samba-prn-01:~# coredumpctl gdb 27338
           PID: 27338 (cupsd)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 6 (ABRT)
     Timestamp: Mon 2020-07-06 17:01:15 BST (17h ago)
  Command Line: /usr/sbin/cupsd -l
    Executable: /usr/sbin/cupsd
 Control Group: /system.slice/cups.service
          Unit: cups.service
         Slice: system.slice
       Boot ID: 0fcad17ac3cd455b9f660e247188c9f5
    Machine ID: d5fab4a49a044739a79685e71c58019c
      Hostname: samba-prn-01.graysofwestminster.co.uk
       Storage: /var/lib/systemd/coredump/core.cupsd.0.0fcad17ac3cd455b9f660e247188c9f5.27338.1594051275000000.lz4
       Message: Process 27338 (cupsd) of user 0 dumped core.

                Stack trace of thread 27338:
                #0  0x00007f5c88cfb7bb __GI_raise (libc.so.6)
                #1  0x00007f5c88ce6535 __GI_abort (libc.so.6)
                #2  0x00007f5c88d3d508 __libc_message (libc.so.6)
                #3  0x00007f5c88d43c1a malloc_printerr (libc.so.6)
                #4  0x00007f5c88d4542c _int_free (libc.so.6)
                #5  0x00007f5c88ec143e n/a (libcups.so.2)
                #6  0x00007f5c88ec13a8 ippDelete (libcups.so.2)
                #7  0x000055c691e34ce4 cupsdWriteClient (cupsd)
                #8  0x000055c691e6ed37 cupsdDoSelect (cupsd)
                #9  0x000055c691e2c2f5 main (cupsd)
                #10 0x00007f5c88ce809b __libc_start_main (libc.so.6)
                #11 0x000055c691e2d5da _start (cupsd)

GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/cupsd...Reading symbols from /usr/lib/debug/.build-id/6d/c083ea4548b510e5e2e225f09345d3ef998629.debug...done.
done.
[New LWP 27338]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/cupsd -l'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f5c88ce6535 in __GI_abort () at abort.c:79
#2  0x00007f5c88d3d508 in __libc_message (action=action@entry=do_abort,
    fmt=fmt@entry=0x7f5c88e4828d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f5c88d43c1a in malloc_printerr (
    str=str@entry=0x7f5c88e4643b "free(): invalid pointer") at malloc.c:5341
#4  0x00007f5c88d4542c in _int_free (av=<optimized out>, p=<optimized out>,
    have_lock=<optimized out>) at malloc.c:4165
#5  0x00007f5c88ec143e in ?? () from /lib/x86_64-linux-gnu/libcups.so.2
#6  0x00007f5c88ec13a8 in ippDelete () from /lib/x86_64-linux-gnu/libcups.so.2
#7  0x000055c691e34ce4 in cupsdWriteClient (con=0x55c692502310)
    at client.c:2563
#8  0x000055c691e6ed37 in cupsdDoSelect (timeout=<optimized out>)
    at select.c:485
#9  0x000055c691e2c2f5 in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:847
(gdb) quit


Thanks for your time.

Ronny


-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.3.3-1~bpo10+1
ii  cups-common            2.3.3-1~bpo10+1
ii  cups-core-drivers      2.3.3-1~bpo10+1
ii  cups-daemon            2.3.3-1~bpo10+1
ii  cups-filters           1.27.4-1
ii  cups-ppdc              2.3.3-1~bpo10+1
ii  cups-server-common     2.3.3-1~bpo10+1
ii  debconf [debconf-2.0]  1.5.71
ii  ghostscript            9.27~dfsg-2+deb10u3
ii  libavahi-client3       0.7-4+b1
ii  libavahi-common3       0.7-4+b1
ii  libc6                  2.28-10
ii  libcups2               2.3.3-1~bpo10+1
ii  libgcc1                1:8.3.0-6
ii  libstdc++6             8.3.0-6
ii  libusb-1.0-0           2:1.0.22-2
ii  poppler-utils          0.71.0-5
ii  procps                 2:3.3.15-2

Versions of packages cups recommends:
ii  avahi-daemon  0.7-4+b1
ii  colord        1.4.3-4

Versions of packages cups suggests:
pn  cups-bsd                                   <none>
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
pn  smbclient                                  <none>
ii  udev                                       241-7~deb10u4

-- debconf information:
  cupsys/backend: lpd, socket, usb, snmp, dnssd
  cupsys/raw-print: true

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Sat, 22 Aug 2020 12:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Sat, 22 Aug 2020 12:36:04 GMT) (full text, mbox, link).

Message #20 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny,
sorry for the delay.
You wrote you recompiled - then I guess your build directory should
also contain the libcups2-dbgsym and cups-daemon-dbgsym packages.

If you still get this crash, could you install these dbgsym packages
from your build and recreate that backtrace in coredumpctl?
A 'bt full' could contain some details too.

Otherwise running cupsd within valgrind could also give some hints.


This bug might describe the same issue, unfortunately also without solution:
    https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1846334
    https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1826648
    https://marc.info/?l=openbsd-ports&m=157331902608071&w=2

Kind regards,
Bernhard


https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1729
https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L2244

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Mon, 24 Aug 2020 11:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Mon, 24 Aug 2020 11:36:02 GMT) (full text, mbox, link).

Message #25 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 22/08/2020 13:33:
> 
> sorry for the delay.

No problem at all.

> You wrote you recompiled - then I guess your build directory should
> also contain the libcups2-dbgsym and cups-daemon-dbgsym packages.

Yes. I'd already installed libcups2-dbgsym. I've now installed cups-daemon-dbgsym too.

> If you still get this crash, could you install these dbgsym packages
> from your build and recreate that backtrace in coredumpctl?
> A 'bt full' could contain some details too.

We're getting the crash 50-100 times a day on a weekday so no problem reproducing...

The "bt full" on a recent crash:

root@samba-prn-01:~# coredumpctl gdb 22744
           PID: 22744 (cupsd)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 6 (ABRT)
     Timestamp: Mon 2020-08-24 11:41:07 BST (3min 32s ago)
  Command Line: /usr/sbin/cupsd -l
    Executable: /usr/sbin/cupsd
 Control Group: /system.slice/cups.service
          Unit: cups.service
         Slice: system.slice
       Boot ID: e7b5643e81964f88b7b34a712caf323a
    Machine ID: d5fab4a49a044739a79685e71c58019c
      Hostname: samba-prn-01.graysofwestminster.co.uk
       Storage: /var/lib/systemd/coredump/core.cupsd.0.e7b5643e81964f88b7b34a712caf323a.22744.1598265667000000.lz4
       Message: Process 22744 (cupsd) of user 0 dumped core.

                Stack trace of thread 22744:
                #0  0x00007f4c25f2f7bb __GI_raise (libc.so.6)
                #1  0x00007f4c25f1a535 __GI_abort (libc.so.6)
                #2  0x00007f4c25f71508 __libc_message (libc.so.6)
                #3  0x00007f4c25f77c1a malloc_printerr (libc.so.6)
                #4  0x00007f4c25f7942c _int_free (libc.so.6)
                #5  0x00007f4c260f543e n/a (libcups.so.2)
                #6  0x00007f4c260f53a8 ippDelete (libcups.so.2)
                #7  0x0000558e8fde4ce4 cupsdWriteClient (cupsd)
                #8  0x0000558e8fe1ed37 cupsdDoSelect (cupsd)
                #9  0x0000558e8fddc2f5 main (cupsd)
                #10 0x00007f4c25f1c09b __libc_start_main (libc.so.6)
                #11 0x0000558e8fddd5da _start (cupsd)

GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/cupsd...Reading symbols from /usr/lib/debug/.build-id/6d/c083ea4548b510e5e2e225f09345d3ef998629.debug...done.
done.
[New LWP 22744]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/cupsd -l'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bnt full
Undefined command: "bnt".  Try "help".
(gdb) bt full
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 1, 1023, 139965031776793, 140733120872449,
            94070787803904, 94070787803904, 94070787803904, 94070787803904,
            94070787803932, 94070787804927, 94070787803904, 94070787804927,
            16322178772337255680, 140732327528640, 140732327528640}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007f4c25f1a535 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x3000000030,
            sa_sigaction = 0x3000000030}, sa_mask = {__val = {140732327529160,
              140732327528912, 16322178772337255680, 94070792526160,
              16322178772337255680, 0, 139965031440801, 209,
              16322178772337255680, 208, 94070790887360, 94070790879152,
              94070787745283, 140732327529024, 140732327529056,
              140732327529312}}, sa_flags = -865858976, sa_restorer = 0x1000}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f4c25f71508 in __libc_message (action=action@entry=do_abort,
    fmt=fmt@entry=0x7f4c2607c28d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
        ap = {{gp_offset = 24, fp_offset = 0,
            overflow_arg_area = 0x7ffecc640b70,
            reg_save_area = 0x7ffecc640b00}}
        fd = 2
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00007f4c25f77c1a in malloc_printerr (
    str=str@entry=0x7f4c2607a43b "free(): invalid pointer") at malloc.c:5341
No locals.
#4  0x00007f4c25f7942c in _int_free (av=<optimized out>, p=<optimized out>,
    have_lock=<optimized out>) at malloc.c:4165
        size = 4294967296
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#5  0x00007f4c260f543e in ipp_free_values (attr=attr@entry=0x558e903207d0, element=element@entry=0, count=1) at ipp.c:6324
        i = <optimized out>
        value = 0x558e903207f0
#6  0x00007f4c260f53a8 in ippDelete (ipp=0x558e90317170) at ipp.c:1755
        attr = 0x558e903207d0
        next = 0x558e902d2310
        attr = <optimized out>
        next = <optimized out>
#7  ippDelete (ipp=0x558e90317170) at ipp.c:1729
        attr = <optimized out>
        next = <optimized out>
#8  0x0000558e8fde4ce4 in cupsdWriteClient (con=0x558e90351530) at client.c:2563
        bytes = <optimized out>
        field_col = <optimized out>
        bufptr = <optimized out>
        bufend = <optimized out>
        ipp_state = <optimized out>
#9  0x0000558e8fe1ed37 in cupsdDoSelect (timeout=<optimized out>) at select.c:485
        i = <optimized out>
        event = 0x7f4c247a9010
        nfds = 1
        fdptr = 0x558e902c1950
        pfd = <optimized out>
        count = <optimized out>
#10 0x0000558e8fddc2f5 in main (argc=<optimized out>, argv=<optimized out>) at main.c:847
        i = 2
        opt = <optimized out>
        close_all = <optimized out>
        disconnect = <optimized out>
        fg = <optimized out>
        run_as_child = <optimized out>
        print_profile = <optimized out>
        fds = 1
        con = <optimized out>
        job = <optimized out>
        lis = <optimized out>
        current_time = <optimized out>
        activity = <optimized out>
        senddoc_time = 1598265667
        expire_time = 1598265667
        report_time = 0
        event_time = 1598265646
        timeout = 1
        limit = {rlim_cur = 524288, rlim_max = 524288}
        action = {__sigaction_handler = {sa_handler = 0x558e8fdf34a0 <sigterm_handler>, sa_sigaction = 0x558e8fdf34a0 <sigterm_handler>}, sa_mask = {__val = {81920, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x0}
        netif_time = 1598265627
        service_idle_exit = 0
(gdb)


> Otherwise running cupsd within valgrind could also give some hints.

I'll see if I can do this. I'll have to schedule some down time so it won't be immediate (or possibly even quick).

> This bug might describe the same issue, unfortunately also without solution:
>     https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1846334
>     https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1826648
>     https://marc.info/?l=openbsd-ports&m=157331902608071&w=2

The first two, certainly, look the same.

It might be coincident but both the launchpad bugs seems to be Samsung printers which is what we currently have. Could a bad PPD be causing this?

> https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1729
> https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L2244

Looks like we're hitting the default part of the case statement that frees memory and then trying to free the invalid pointer:

https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L6324

My C foo is insufficient to get much further than this I'm afraid.

Thanks.

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Tue, 25 Aug 2020 01:21:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 25 Aug 2020 01:21:02 GMT) (full text, mbox, link).

Message #30 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny,


Am 24.08.20 um 13:12 schrieb Ronny Adsetts:

> The "bt full" on a recent crash:

Unfortunately I cannot find something striking.



>> Otherwise running cupsd within valgrind could also give some hints.
> 
> I'll see if I can do this. I'll have to schedule some down time so it won't be immediate (or possibly even quick).

I tried to run it in a VM and tested with some virtual PDF and PS printer.
Following were the configuration changes to have it run under valgrind.

    nano /lib/systemd/system/cups.service

        -ExecStart=/usr/sbin/cupsd -l
        +# ExecStart=/usr/sbin/cupsd -l
        +ExecStart=/usr/bin/valgrind --trace-children=no /usr/sbin/cupsd -l

    systemctl daemon-reload
    systemctl stop cups.service
    systemctl start cups.service


But I don't know if that might create a problem perfomance wise.


I have tried to build with AddressSanitizer, but the build itself makes
trouble and the resulting binary is not able to print...


Kind regards,
Bernhard

Message #35 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Morning Bernard,

Bernhard Übelacker wrote on 25/08/2020 02:18:
> Am 24.08.20 um 13:12 schrieb Ronny Adsetts:

>>> Otherwise running cupsd within valgrind could also give some
>>> hints.
>> 
>> I'll see if I can do this. I'll have to schedule some down time so
>> it won't be immediate (or possibly even quick).
> 
> I tried to run it in a VM and tested with some virtual PDF and PS
> printer. Following were the configuration changes to have it run
> under valgrind.
> 
> nano /lib/systemd/system/cups.service
> 
> -ExecStart=/usr/sbin/cupsd -l +# ExecStart=/usr/sbin/cupsd -l 
> +ExecStart=/usr/bin/valgrind --trace-children=no /usr/sbin/cupsd -l
> 
> systemctl daemon-reload systemctl stop cups.service systemctl start
> cups.service
> 
> But I don't know if that might create a problem perfomance wise.
> 
> I have tried to build with AddressSanitizer, but the build itself
> makes trouble and the resulting binary is not able to print...

I've never used valgrind before. How long should I run it this way for? How do I get the result of running it to send to you?

Sorry for the newbie questions. :-).

Ronny

-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 25 Aug 2020 08:39:03 GMT) (full text, mbox, link).

Message #40 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny

Am 25.08.20 um 10:14 schrieb Ronny Adsetts:

>> I tried to run it in a VM and tested with some virtual PDF and PS
>> printer. Following were the configuration changes to have it run
>> under valgrind.
>>
>> nano /lib/systemd/system/cups.service
>>
>> -ExecStart=/usr/sbin/cupsd -l +# ExecStart=/usr/sbin/cupsd -l 
>> +ExecStart=/usr/bin/valgrind --trace-children=no /usr/sbin/cupsd -l
>>
>> systemctl daemon-reload systemctl stop cups.service systemctl start
>> cups.service
>>
>> But I don't know if that might create a problem perfomance wise.
>>
>> I have tried to build with AddressSanitizer, but the build itself
>> makes trouble and the resulting binary is not able to print...
> 
> I've never used valgrind before. How long should I run it this way for? How do I get the result of running it to send to you?
> 

Adding the line above would just appear in 'journalctl -e -u cups.service'.
Otherwise one could add the option '--log-file=/tmp/valgrind' to redirect
and separate the additional output of valgrind.

I have also not yet run valgrind that way, but I would expect either the crash
happen the same way, therefore process would end and maybe automatically restarted.

It might also just print something and continue or the issue does not happen
at all when running under valgrind, I cannot be sure.

Kind regards,
Bernhard

Message #45 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 25/08/2020 09:34:
> 
> Adding the line above would just appear in 'journalctl -e -u cups.service'.
> Otherwise one could add the option '--log-file=/tmp/valgrind' to redirect
> and separate the additional output of valgrind.
> 
> I have also not yet run valgrind that way, but I would expect either the crash
> happen the same way, therefore process would end and maybe automatically restarted.
> 
> It might also just print something and continue or the issue does not happen
> at all when running under valgrind, I cannot be sure.

OK, thanks. I have cups running under valgrind. Running a test print from a Windows 10 box triggers the error and Valgrind gives this output:

Aug 25 09:49:17 samba-prn-01 systemd[1]: Started CUPS Scheduler.
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: ==28088== Memcheck, a memory error detector
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: ==28088== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: ==28088== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: ==28088== Command: /usr/sbin/cupsd -l
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: ==28088==
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088-- WARNING: Serious error when reading debug info
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088-- When reading debug info from /usr/sbin/cupsd:
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088--    debuginfo section duplicates a section in the main ELF file
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088== Invalid free() / delete / delete[] / realloc()
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    at 0x48369AB: free (vg_replace_malloc.c:530)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x4A2443D: ipp_free_values (ipp.c:6324)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x4A243A7: ippDelete (ipp.c:1755)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x4A243A7: ippDelete (ipp.c:1729)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x11CCE3: ??? (in /usr/sbin/cupsd)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==  Address 0x65f1e94 is 4 bytes inside a block of size 23 alloc'd
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    at 0x4837B65: calloc (vg_replace_malloc.c:752)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x4A34DD0: _cupsStrAlloc (string.c:107)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x4A234F5: ippAddString (ipp.c:957)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x13076D: ??? (in /usr/sbin/cupsd)
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5AC5261: ???
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5F44D23F: ???
Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==

Does that give any further insight?

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 25 Aug 2020 10:54:03 GMT) (full text, mbox, link).

Message #50 received at 961345@bugs.debian.org (full text, mbox, reply):

Am 25.08.20 um 11:02 schrieb Ronny Adsetts:
> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x13076D: ??? (in /usr/sbin/cupsd)
> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5AC5261: ???
> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5F44D23F: ???
> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==
> 
> Does that give any further insight?

Is the cups-daemon-dbgsym installed and from the same
source as the cups-daemon package?

Does following command show the same BuildID ?

Kind regards,
Bernhard

# file /usr/sbin/cupsd /usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug
/usr/sbin/cupsd:                                                          ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8ade7144c28e948515ffa5b45d70e4e02e008e17, stripped
/usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter *empty*, for GNU/Linux 3.2.0, BuildID[sha1]=8ade7144c28e948515ffa5b45d70e4e02e008e17, with debug_info, not stripped
# dpkg -S de7144c28e948515ffa5b45d70e4e02e008e17
cups-daemon-dbgsym: /usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug

Message #55 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 25/08/2020 11:50:
> Am 25.08.20 um 11:02 schrieb Ronny Adsetts:
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x13076D: ??? (in /usr/sbin/cupsd)
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5AC5261: ???
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5F44D23F: ???
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==
>>
>> Does that give any further insight?
> 
> Is the cups-daemon-dbgsym installed and from the same
> source as the cups-daemon package?

Yes, appears to be:

root@samba-prn-01:~# dpkg -l cups-daemon cups-daemon-dbgsym
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name               Version         Architecture Description
+++-==================-===============-============-============================
ii  cups-daemon        2.3.3-1~bpo10+1 amd64        Common UNIX Printing System(
ii  cups-daemon-dbgsym 2.3.3-1~bpo10+1 amd64        debug symbols for cups-daemo

> Does following command show the same BuildID ?
> 
> # file /usr/sbin/cupsd /usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug
> /usr/sbin/cupsd:                                                          ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8ade7144c28e948515ffa5b45d70e4e02e008e17, stripped
> /usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter *empty*, for GNU/Linux 3.2.0, BuildID[sha1]=8ade7144c28e948515ffa5b45d70e4e02e008e17, with debug_info, not stripped

> # dpkg -S de7144c28e948515ffa5b45d70e4e02e008e17
> cups-daemon-dbgsym: /usr/lib/debug/.build-id/8a/de7144c28e948515ffa5b45d70e4e02e008e17.debug

The BuildID is different (probably as I rebuilt) but it seems to be right:

root@samba-prn-01:~# file /usr/sbin/cupsd /usr/lib/debug/.build-id/6d/*| grep 6dc083ea4548b510e5e2e225f09345d3ef998629
/usr/sbin/cupsd:                                                          ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6dc083ea4548b510e5e2e225f09345d3ef998629, stripped
/usr/lib/debug/.build-id/6d/c083ea4548b510e5e2e225f09345d3ef998629.debug: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter *empty*, for GNU/Linux 3.2.0, BuildID[sha1]=6dc083ea4548b510e5e2e225f09345d3ef998629, with debug_info, not stripped

root@samba-prn-01:~# dpkg -S c083ea4548b510e5e2e225f09345d3ef998629
cups-daemon-dbgsym: /usr/lib/debug/.build-id/6d/c083ea4548b510e5e2e225f09345d3ef998629.debug

It's beyond me why the debug symbols are not being picked up.

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Message #60 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 25/08/2020 11:50:
> Am 25.08.20 um 11:02 schrieb Ronny Adsetts:
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x13076D: ??? (in /usr/sbin/cupsd)
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5AC5261: ???
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==    by 0x5F44D23F: ???
>> Aug 25 09:56:32 samba-prn-01 valgrind[28088]: ==28088==
>>
>> Does that give any further insight?
> 
> Is the cups-daemon-dbgsym installed and from the same
> source as the cups-daemon package?
> 
> Does following command show the same BuildID ?

The lack of debug symbols in valgrind could possibly be this bug - the symptoms appear to be the same:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942614

My output from valgrind contained this:

Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088-- WARNING: Serious error when reading debug info
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088-- When reading debug info from /usr/sbin/cupsd:
Aug 25 09:49:17 samba-prn-01 valgrind[28088]: --28088--    debuginfo section duplicates a section in the main ELF file

In which case a backport of valgrind would be dead handy. :-).

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 25 Aug 2020 21:09:02 GMT) (full text, mbox, link).

Message #65 received at 961345@bugs.debian.org (full text, mbox, reply):

Am 25.08.20 um 14:40 schrieb Ronny Adsetts:
> In which case a backport of valgrind would be dead handy. :-).


You might be able to build one yourself:
(maybe inside a VM too, because several build dependencies get installed ...)


# Buster/stable amd64 qemu VM 2020-08-25
apt update
apt build-dep valgrind
apt install devscripts
mkdir /home/benutzer/source/valgrind/orig -p
cd    /home/benutzer/source/valgrind/orig
dget http://deb.debian.org/debian/pool/main/v/valgrind/valgrind_3.16.1-1.dsc
cd ..
cp -a orig try1
cd try1/valgrind-3.16.1
sed -i 's/debhelper-compat (= 13)/debhelper-compat (= 12)/' debian/control
dpkg-buildpackage

cd /home/benutzer/source/valgrind/try1
apt install libc6-dbg
dpkg -i valgrind_3.16.1-1_amd64.deb


Just tested with a few installed executables ...

Kind regards,
Bernhard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Wed, 26 Aug 2020 15:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Wed, 26 Aug 2020 15:03:02 GMT) (full text, mbox, link).

Message #70 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 25/08/2020 22:07:
> Am 25.08.20 um 14:40 schrieb Ronny Adsetts:
>> In which case a backport of valgrind would be dead handy. :-).
> 
> You might be able to build one yourself:
> (maybe inside a VM too, because several build dependencies get installed ...)
[...]

Thanks. I rebuilt it fine. Result look much better:

Aug 26 15:42:57 samba-prn-01 systemd[1]: Started CUPS Scheduler.
Aug 26 15:42:57 samba-prn-01 valgrind[31788]: ==31788== Memcheck, a memory error detector
Aug 26 15:42:57 samba-prn-01 valgrind[31788]: ==31788== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
Aug 26 15:42:57 samba-prn-01 valgrind[31788]: ==31788== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
Aug 26 15:42:57 samba-prn-01 valgrind[31788]: ==31788== Command: /usr/sbin/cupsd -l
Aug 26 15:42:57 samba-prn-01 valgrind[31788]: ==31788==
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788== Invalid free() / delete / delete[] / realloc()
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    at 0x48369AB: free (vg_replace_malloc.c:538)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x4A2443D: ipp_free_values (ipp.c:6324)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x4A243A7: ippDelete (ipp.c:1755)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x4A243A7: ippDelete (ipp.c:1729)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x11CCE3: cupsdWriteClient (client.c:2563)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x156D36: cupsdDoSelect (select.c:485)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x1142F4: main (main.c:847)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==  Address 0x68f1e04 is 4 bytes inside a block of size 23 alloc'd
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    at 0x4837B65: calloc (vg_replace_malloc.c:760)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x4A34DD0: _cupsStrAlloc (string.c:107)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x4A234F5: ippAddString (ipp.c:957)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x13076D: copy_printer_attrs (ipp.c:4894)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x13DCCD: get_printer_attrs (ipp.c:7365)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x13DCCD: cupsdProcessIPPRequest (ipp.c:457)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x11DD24: cupsdReadClient (client.c:1812)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x156C04: cupsdDoSelect (select.c:480)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==    by 0x1142F4: main (main.c:847)
Aug 26 15:55:14 samba-prn-01 valgrind[31788]: ==31788==

Hopefully this fives you something more helpful to go on...

Thanks again for all your time and energy on this so far.

Ronny

-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Wed, 26 Aug 2020 22:15:03 GMT) (full text, mbox, link).

Message #75 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny,
I tried to have a look and I get the feeling that there
is a disagreement if the attribute "printer-alert" is of type
IPP_TAG_TEXT or IPP_TAG_STRING.

Also it is the only line I found at a glance that calls
ippAddString with a IPP_TAG_STRING.

Other attributes of type IPP_TAG_STRING seem to get added
by a call to ippAddOctetString.

But still I am not sure which of STRING or TEXT is the right one.

Below patch is an attempt to add "printer-alert" in copy_printer_attrs
by using ippAddOctetString.
The important change is in scheduler/ipp.c, the changes to backend/ipp.c
should just mark another questionable place.
I could not test this change as I can not reproduce
the crash - so it is untested.

Kind regards,
Bernhard






Invalid free() / delete / delete[] / realloc()
   at 0x48369AB: free (vg_replace_malloc.c:538)
   by 0x4A2443D: ipp_free_values (ipp.c:6324)            https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L6324
   by 0x4A243A7: ippDelete (ipp.c:1755)                  https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1755
   by 0x4A243A7: ippDelete (ipp.c:1729)                  https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L1729
   by 0x11CCE3: cupsdWriteClient (client.c:2563)         https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L2563
   by 0x156D36: cupsdDoSelect (select.c:485)             https://sources.debian.org/src/cups/2.3.3-2/scheduler/select.c/#L485
   by 0x1142F4: main (main.c:847)                        https://sources.debian.org/src/cups/2.3.3-2/scheduler/main.c/#L847
 Address 0x68f1e04 is 4 bytes inside a block of size 23 alloc'd
   at 0x4837B65: calloc (vg_replace_malloc.c:760)
   by 0x4A34DD0: _cupsStrAlloc (string.c:107)            https://sources.debian.org/src/cups/2.3.3-2/cups/string.c/#L107
   by 0x4A234F5: ippAddString (ipp.c:957)                https://sources.debian.org/src/cups/2.3.3-2/cups/ipp.c/#L957
   by 0x13076D: copy_printer_attrs (ipp.c:4894)          https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L4894
   by 0x13DCCD: get_printer_attrs (ipp.c:7365)           https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L7365
   by 0x13DCCD: cupsdProcessIPPRequest (ipp.c:457)       https://sources.debian.org/src/cups/2.3.3-2/scheduler/ipp.c/#L457
   by 0x11DD24: cupsdReadClient (client.c:1812)          https://sources.debian.org/src/cups/2.3.3-2/scheduler/client.c/#L1812
   by 0x156C04: cupsdDoSelect (select.c:480)             https://sources.debian.org/src/cups/2.3.3-2/scheduler/select.c/#L480
   by 0x1142F4: main (main.c:847)                        https://sources.debian.org/src/cups/2.3.3-2/scheduler/main.c/#L847



./backend/ipp.c:3081:  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_TEXT)) != NULL)
./cups/encode.c:317:  { 1, "printer-alert",             IPP_TAG_STRING,         IPP_TAG_PRINTER },
./scheduler/ipp.c:4893:  if (printer->alert && (!ra || cupsArrayFind(ra, "printer-alert")))    ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_STRING, "printer-alert", NULL, printer->alert);
./scheduler/job.c:5276: CUPSD_EVENT_PRINTER_STATE ???



diff --git a/backend/ipp.c b/backend/ipp.c
index a99079e..94fb701 100644
--- a/backend/ipp.c
+++ b/backend/ipp.c
@@ -3026,6 +3026,7 @@ report_attr(ipp_attribute_t *attr)        /* I - Attribute */
           valptr += strlen(valptr);
           break;
 
+      case IPP_TAG_STRING :
       default :
          /*
          * Unsupported value type...
@@ -3078,7 +3079,7 @@ report_printer_state(ipp_t *ipp)  /* I - IPP response */
   * Report alerts and messages...
   */
 
-  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_TEXT)) != NULL)
+  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_STRING)) != NULL)
     report_attr(pa);
 
   if ((pam = ippFindAttribute(ipp, "printer-alert-message",
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 2fe3bf2..1494ecf 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -4891,7 +4891,7 @@ copy_printer_attrs(
   }
 
   if (printer->alert && (!ra || cupsArrayFind(ra, "printer-alert")))
-    ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_STRING, "printer-alert", NULL, printer->alert);
+    ippAddOctetString(con->response, IPP_TAG_PRINTER, "printer-alert", printer->alert, (int)strlen(printer->alert));
 
   if (printer->alert_description && (!ra || cupsArrayFind(ra, "printer-alert-description")))
     ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_TEXT, "printer-alert-description", NULL, printer->alert_description);

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Thu, 27 Aug 2020 10:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 27 Aug 2020 10:27:03 GMT) (full text, mbox, link).

Message #80 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 26/08/2020 23:10:
[...]
> 
> Below patch is an attempt to add "printer-alert" in
> copy_printer_attrs by using ippAddOctetString.
> 
> The important change is in scheduler/ipp.c, the changes to
> backend/ipp.c should just mark another questionable place.
> 
> I could not test this change as I can not reproduce the crash - so it
> is untested.

Hi Bernhard,

Thanks for the patch. After figuring out using "quilt refresh" I got a source package built with the patch included. Unfortunately my build attempt in cowbuilder hits this bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916433

With this test fail:

httpAddrGetList(backports.graysofwestminster.co.uk): FAIL

I obviously managed to "fix" this once as I already built the package once. Going back through my google history to try and "fix" it again. And make a note of it this time. :-).

I don't suppose you have any pointers on solving this one do you? Probably something missing in the build chroot...

Thanks.

Ronny

-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 27 Aug 2020 11:03:02 GMT) (full text, mbox, link).

Message #85 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny,
unfortunately I don't have any pointers on that httpAddrGetList.

So you were able to build a package?


One additional note: I guess with "quilt refresh" any new changes
get added to the last patch. A 'dpkg-source --commit' would create
a new separate patch file.

Kind regards,
Bernhard

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 27 Aug 2020 11:12:03 GMT) (full text, mbox, link).

Message #90 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 27/08/2020 12:00:
> unfortunately I don't have any pointers on that httpAddrGetList.
> 
> So you were able to build a package?

Yes, I patched out the fail (typo included for free):

Index: cups-2.3.3/cups/testhttp.c
===================================================================
--- cups-2.3.3.orig/cups/testhttp.c     2020-04-27 18:04:29.000000000 +0000
+++ cups-2.3.3/cups/testhttp.c  2020-08-27 10:48:23.991753579 +0000
@@ -416,8 +416,10 @@
     }
     else
     {
-      failures ++;
-      puts("FAIL");
+      // Comment out the following failure as something in
+      // cowbuilder causes it to fail
+      //failures ++;
+      puts("FAIL (ignored because user of cowbuilder results in a fail");
     }

    /*

:-).

I'll install the patched packages outside of office hours and give them a test. I might be able to do this today, otherwise it will be first thing in the morning.

> One additional note: I guess with "quilt refresh" any new changes
> get added to the last patch. A 'dpkg-source --commit' would create a
> new separate patch file.

I figured out creating new patches with quilt eventually. :-). This page was most useful:

https://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Fri, 28 Aug 2020 09:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Fri, 28 Aug 2020 09:15:03 GMT) (full text, mbox, link).

Message #95 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 26/08/2020 23:10:
> 
> I tried to have a look and I get the feeling that there is a
> disagreement if the attribute "printer-alert" is of type IPP_TAG_TEXT
> or IPP_TAG_STRING.
> 
> Also it is the only line I found at a glance that calls ippAddString
> with a IPP_TAG_STRING.
> 
> Other attributes of type IPP_TAG_STRING seem to get added by a call
> to ippAddOctetString.
> 
> But still I am not sure which of STRING or TEXT is the right one.
> 
> Below patch is an attempt to add "printer-alert" in
> copy_printer_attrs by using ippAddOctetString.
> 
> The important change is in scheduler/ipp.c, the changes to
> backend/ipp.c should just mark another questionable place.
> 
> I could not test this change as I can not reproduce the crash - so it
> is untested.

Hi Bernhard,

So running with the patched cups packages seems to fix the "invalid free" on a test print. I've restored the systemd service file to remove valgrind so let's see how we go on a day's printing. :-).

Incidentally, stopping the cups service (new packages) after a single print job when under valgrind gave this in case it's related:

Aug 28 10:03:59 samba-prn-01.graysofwestminster.co.uk systemd[1]: Stopping CUPS Scheduler...
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== Invalid free() / delete / delete[] / realloc()
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    at 0x48369AB: free (vg_replace_malloc.c:538)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:202)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:186)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: free_key_mem (dlerror.c:221)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: __dlerror_main_freeres (dlerror.c:239)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4BECB71: __libc_freeres (in /usr/lib/x86_64-linux-gnu/libc-2.28.so)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x482B19E: _vgnU_freeres (vg_preloaded.c:75)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4ABDE89: __run_exit_handlers (exit.c:132)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4ABDEB9: exit (exit.c:139)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4AA80A1: (below main) (libc-start.c:342)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==  Address 0x4a5dd94 is in a r-- mapped file /usr/lib/x86_64-linux-gnu/libcups.so.2 segment
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== HEAP SUMMARY:
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==     in use at exit: 829,720 bytes in 16,197 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==   total heap usage: 131,007 allocs, 114,811 frees, 25,289,313 bytes allocated
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== LEAK SUMMARY:
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    definitely lost: 51,468 bytes in 519 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    indirectly lost: 65,751 bytes in 4 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==      possibly lost: 0 bytes in 0 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    still reachable: 712,501 bytes in 15,674 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==         suppressed: 0 bytes in 0 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== Rerun with --leak-check=full to see details of leaked memory
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== For lists of detected and suppressed errors, rerun with: -s
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk systemd[1]: cups.service: Succeeded.
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk systemd[1]: Stopped CUPS Scheduler.
Aug 28 10:04:12 samba-prn-01.graysofwestminster.co.uk systemd[1]: Started CUPS Scheduler.

Thanks.

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Tue, 01 Sep 2020 16:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 01 Sep 2020 16:57:04 GMT) (full text, mbox, link).

Message #100 received at 961345@bugs.debian.org (full text, mbox, reply):

Hello Ronny,


> Incidentally, stopping the cups service (new packages) after a single print job when under valgrind gave this in case it's related:
> 
> Aug 28 10:03:59 samba-prn-01.graysofwestminster.co.uk systemd[1]: Stopping CUPS Scheduler...
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== Invalid free() / delete / delete[] / realloc()
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    at 0x48369AB: free (vg_replace_malloc.c:538)
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:202)
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:186)
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: free_key_mem (dlerror.c:221)
> Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: __dlerror_main_freeres (dlerror.c:239)

This might be what is described in here:
  https://sourceware.org/bugzilla/show_bug.cgi?id=24476
And I guess not related to the original issue.

At least could not reproduce this message
with libc6 2.31-3 in a up-to-date testing VM.


> So running with the patched cups packages seems to fix the "invalid free" on a test print. I've restored the systemd service file to remove valgrind so let's see how we go on a day's printing. :-).

Any news in this regard?


Kind regards,
Bernhard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Wed, 02 Sep 2020 08:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Wed, 02 Sep 2020 08:24:02 GMT) (full text, mbox, link).

Message #105 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Bernhard,

Bernhard Übelacker wrote on 01/09/2020 17:55:
[...]
>> So running with the patched cups packages seems to fix the "invalid
>> free" on a test print. I've restored the systemd service file to
>> remove valgrind so let's see how we go on a day's printing. :-).
> 
> Any news in this regard?

Good news. I don't see any "invalid free" reports.

Can I thank you again for your time and energy in solving this. It really is appreciated.

Let me know if there's anything I can do to help get this patch upstreamed.

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://github.com/apple/cups/issues/5826'. Request was from Bernhard Übelacker <bernhardu@mailbox.org> to control@bugs.debian.org. (Thu, 03 Sep 2020 12:39:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#961345; Package cups. (Thu, 03 Sep 2020 12:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 03 Sep 2020 12:45:03 GMT) (full text, mbox, link).

Message #112 received at 961345@bugs.debian.org (full text, mbox, reply):

Am 02.09.20 um 10:20 schrieb Ronny Adsetts:
> Hi Bernhard,

> 
> Good news. I don't see any "invalid free" reports.
> 
> Can I thank you again for your time and energy in solving this. It really is appreciated.
> 
> Let me know if there's anything I can do to help get this patch upstreamed.
> 
> Ronny


Hello Ronny,
that's great, I have opened an issue upstream,
let's see what they think.

Kind regards,
Bernhard

Added tag(s) upstream. Request was from Bernhard Übelacker <bernhardu@mailbox.org> to control@bugs.debian.org. (Thu, 03 Sep 2020 12:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 03 Sep 2020 13:09:03 GMT) (full text, mbox, link).

Message #119 received at 961345@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Bernhard Übelacker wrote on 03/09/2020 13:42:
> 
> that's great, I have opened an issue upstream, let's see what they
> think.

Thanks. I'll monitor the issue.

Ronny

-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Didier 'OdyX' Raboud <odyx@debian.org>:
You have taken responsibility. (Sat, 28 Nov 2020 09:03:03 GMT) (full text, mbox, link).

Notification sent to Peter Krefting <peter@softwolves.pp.se>:
Bug acknowledged by developer. (Sat, 28 Nov 2020 09:03:03 GMT) (full text, mbox, link).

Message #124 received at 961345-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 2.3.3op1-1

Le jeudi, 3 septembre 2020, 14.42:20 h CET Bernhard Übelacker a écrit :
> Am 02.09.20 um 10:20 schrieb Ronny Adsetts:
> > Hi Bernhard,
> > 
> > 
> > Good news. I don't see any "invalid free" reports.
> > 
> > Can I thank you again for your time and energy in solving this. It really
> > is appreciated.
> > 
> > Let me know if there's anything I can do to help get this patch
> > upstreamed.
> > 
> > Ronny
> 
> Hello Ronny,
> that's great, I have opened an issue upstream,
> let's see what they think.

Thanks a lot Ronny, Bernhard and Peter for the followup and hunt on this bug!

Thanks to the upstream report, this got fixed in the OpenPrinting repository, 
was made part of the 2.3.3op1 release, and reached unstable yesterday.

I'll see whether I can backport this for a future stable update.

Best  regards,
-- 
    OdyX

[signature.asc (application/pgp-signature, inline)]

Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Sat, 28 Nov 2020 19:33:03 GMT) (full text, mbox, link).

Notification sent to Peter Krefting <peter@softwolves.pp.se>:
Bug acknowledged by developer. (Sat, 28 Nov 2020 19:33:03 GMT) (full text, mbox, link).

Message #129 received at 961345-close@bugs.debian.org (full text, mbox, reply):

Source: cups
Source-Version: 2.2.10-6+deb10u4
Done: Didier Raboud <odyx@debian.org>

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961345@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Nov 2020 12:09:48 +0100
Source: cups
Architecture: source
Version: 2.2.10-6+deb10u4
Distribution: buster
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Closes: 961345
Changes:
 cups (2.2.10-6+deb10u4) buster; urgency=medium
 .
   * Backport upstream fix:
     - backend,scheduler/ipp.c: Fix 'printer-alert' invalid free
       (Closes: #961345)
Checksums-Sha1:
 22a7f4b1d941e645783e66d69312c1163b1947db 3472 cups_2.2.10-6+deb10u4.dsc
 2bc150f7e97d6ad82d1ff75f6f76ad57bd229583 361288 cups_2.2.10-6+deb10u4.debian.tar.xz
Checksums-Sha256:
 5b6fc094d7ec4fdf21d6f6c2d35e8b20015d6ecf2e4178aed0a587f869e43883 3472 cups_2.2.10-6+deb10u4.dsc
 c5e1fd533a8e2489d29beb5caafb8fb8cbd4e9acea5bfadf1417eec5d8260aeb 361288 cups_2.2.10-6+deb10u4.debian.tar.xz
Files:
 446b77c4d4fdcec13cbdfe04f0d0f9c2 3472 net optional cups_2.2.10-6+deb10u4.dsc
 a6ffc2367f6e41b386f7293100ad7893 361288 net optional cups_2.2.10-6+deb10u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJ3k7rA0YCplkx4gZqcb6xg1jAWkFAl/Ceg0ACgkQqcb6xg1j
AWmEGQ//dYnzef3D4MPC3o3/iY+I3XhCBhm0kmwFd7daCdVCC/H1lGbBW9WBSDDN
S3nS5U1x7rlwGIN8e8T/UAi0BCKlFeVwtek20sFeH3xvvpB+mYHdWx/iST5XE0gs
hXROLIvpKo+hrmYCbr/3xONB3phY3wLndbzBBMmYRvnN/ZHNwL9AORd00u3kG00d
YL3fVu2rKxStzV1s9XvmReij0fIvAXNOAT4UZd121zrKIcNw2jCPxuCYDft/YNrB
sO1aMQI/E1occw4dG4HqwwmzhgQCI/twOZ/mKunLjMb8ApgDnPdb//TU10aj9cR4
/ZewduPAlgFNVDgVkOKn/K+fTT1tRAIJoAIvasS2BnW23fVlWEwSDB1OIzUlcoYe
nj/xSlXrKuRTRI2qUfABrnmijJQRs7IOIBhQdo7DjgRpZ/dS0NhncajDuFbwluKi
L1mimS3hw0b3QIIXlBY/cglWGYxwHkqiJH+OSAlxATnRkowwNK77xsLPxsFuQ1wP
p1dI+TLWScXiHfQry9V/oSfTDhAHikX01wsVjPIKzuVDIHe+rzZqWnmcoMdMptxX
t/dYSSC1ytaK5+XeNc3pUs10l6nJyL3krsNidNa9vI634TwDI/g4yBQcFcBzXGSm
f2DgoHqDMIOQhGbjwxvIV5OfHjqJtymWuT2x4p9u6Kdu8ZyE9Ig=
=XDbZ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Dec 2020 07:26:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jul 24 02:53:51 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #961345 cups: daemon crashes with invalid free()

Debian Bug report logs - #961345
cups: daemon crashes with invalid free()