Category
Availability
Category
Security
Release Phase
Workaround
Bug Id
6699689, 6740381,
6699255, 6720586, 6724477,
6737146, 6740759,
6749323, 6723892, 6739383,
6740079, 6752372,
6723334, 6724379, 6727979,
6752568, 6759910,
6752577, 6759604, 6757330,
6591929, 6760057,
6746130, 6780792, 6619120,
6761767, 6783023
Product
Solaris 10 Operating System
OpenSolaris
Date of Workaround Release
10-Dec-2008
Part II - Multiple Printing Regressions in Solaris 10 Kernel Patches
127127-11 and 127128-11
1. Impact
Solaris 10 kernel patches 127127-11 (SPARC platform) or 127128-11 (x86
platform) introduce multiple printing regressions as listed below.
Note that these issues are in addition to the ones already identified
in Sun
Alert <document 1019572.1> (241426).
6699689 - Using the -D
option to lpadmin(1M) corrupts '/etc/printers.conf' and leads lpstat(1)
to core dump after which printing is no longer possible.
6740381 - 'lpstat -o'
no longer reports status for remote Windows printers.
6699255 - After
installation of KU 127127/127128-11, printing is no longer possible if
print server and client have different KU revision.
6720586 - "nobanner"
entry gets added to request when lp(1) is invoked with the -i
<request-id> to change print request options.
6724477 - The command
"cancel <queuename>" causes a segmentation fault when used to
cancel the first job on a remote queue.
6737146 - Unprivileged
users cannot place a hold on "print -" requests when using the -H
switch with l(1).
6740759 - lpstat(1)
always reports "Forms allowed: (none)" after making a form
(lpforms(1M)) available to the printer.
6749323 - It is not
possible to determine from the output from lpstat(1) which host a job
was submitted from.
6723892 - 'lpstat -p'
dumps core when queues are created with the "-s ipp://" or "-s lpd://"
options. This issue only occurs when the required fields are not
specified. Supplying valid field data ensures this does not occur.
6739383 - print
commands accept(1M), reject(1), enable(1), disable(1) do not report
status after execution. This has minimal impact as although the status
is not reported, the commands complete correctly. This can be verified
via "lpstat -lp".
6740079 - "lpstat -R"
does not show queued jobs, so it is not possible to tell the order in
which jobs will be printed.
6752372 - The output
from "lpstat -o" is incorrect and so it is not possible to find which
job is currently being printed.
6723334 - There is a
slow memory leak in the libpapi library. This could result in a
system-wide resource shortage.
6724379 - Printing
from FireFox 3 is not possible. Attempts to print using the FireFox 3
application will crash in papiJobStreamOpen.
6727979 - Printing to
local queues is not be possible due to memory corruption in
psm-lpsched.so which will core dump.
6752568 - Using
"lpstat -o" to display queue data for a printer which has a queue name
that matches the syntax for a job id is not possible.
For example, if a job id is defined as
: <printer name>-<#>, i.e: hplaser-1 whereby 'hplaser' is
the printer, and '1' is the job-id. If a printer is added with a name
that matches the job-format
"hplaser-1", then 'lpstat -o hplaser-1' will be treated as a job id
rather than a printer id and will fail.
6759910 - lpstat(1)
cannot display (-D) Description, but this does not affect print jobs.
6752577 - lpmove(1M)
dumps core after moving a print job. Print jobs will be processed
correctly, however each time lpmove is executed, a core file will be
created.
6759604 - A local
unprivileged user on the lp client can cancel print jobs owned by root,
creating a Denial of Service (DoS) in the print process.
6757330 - Zero byte
print jobs will hang. Other print jobs are not impacted when this
occurs.
6591929 - Passing in a
postscript file to lp via standard input (using the command like '$ cat
<postscript-file> | lp)', will cause the printer to print the
postscript markup version of the file. Drivers such as ljet and hpijs
use this
command format and are therefore impacted by this issue. Note that 'lp
<postscript-file>' is not impacted by this issue.
6760057 - accept(1M),
reject(1) commands are not supported for remote printer queues. Using
these commands on remote printers fails but the error message generated
omits the reason why the command is not working (not supported).
6746130 - more memory
leaks in the libpapi library. This could result in a system-wide
resource shortage.
6780792 - Print jobs
sent to NIprint print-server software on Windows systems will not be
processed and will never print.
6619120 - lpmove(1M)
dumps core if it is invoked without using any paramaters as in the case
when displaying the command usage data. Users may instead refer to the
man page for usage details to work around this issue.
6761767 -
'/usr/ucb/lpc topq' (see lpc(1B)), fails to move the specified print
jobs to the top of the print queue. Instead it will dump core.
6783023 - lpstat -v
dumps core if there is no printer name defined in /etc/printers.conf.
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform:
- Solaris 10 with patch 127127-11
- OpenSolaris based upon builds snv_44 or later
x86 Platform:
- Solaris 10 with patch 127128-11
- OpenSolaris based upon builds snv_44 or later
Notes:
1. Solaris 8 and 9 are not impacted by this issue.
2. 6724379 does not affect Sol 10; only OpenSolaris is affected by this
issue.
OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be
derived as follows:
$ uname -v
snv_86
3. Symptoms
The symptoms of each issue are as listed below:
6699689 - Examining
'/etc/printers.conf' will show that the destination field in the
'bsdaddr' line is blank after adding a description.
6740381 - 'lpstat -o
<queue residing on MS Windows server>' will return no output,
even when jobs are resident on the queue.
6699255 - 'lpstat -o
<queue>' will return a different request-id to that returned from
lp(1) during request submission.
6720586 - After
passing the -i switch to lp(1), the output from:
/var/spool/lp/tmp/<print server>/<job-id>
will contain the text:
nobanner
6724477 - cancel(1)
will suffer a segmentation fault, a stack trace from the core will be
similar to the following:
ff25276c papiAttributeListFind (0, 245e4, 245e4, ffbffbec, ff396000, 6c706400) + 18
ff252878 papiAttributeListGetValue (0, ffbffb14, 245e4, 1, ffbffb7c, ffbffcdc) + 5c
ff25296c papiAttributeListGetInteger (6c706400, 0, 245e4, ffbffbec, ff396000, 13c7c) + 2c
00012aac cancel_job (25b68, 24a00, ffbffe1d, 25c80, 0, ffbffcdc) + 6c
00012fd8 berkeley_cancel_request (25b68, 24a00, ffbffe1d, 0, ffbffcdc, 29) + 158
00011fe4 main (2, ffbffd6c, ffbffd78, 24400, ff3600c0, ff360100) + 43c
000118b8 _start (0, 0, 0, 0, 0, 0) + 108
6737146 - After
placing a hold on a print request, the 'Hold' keyword will not be
present in:
/var/spool/lp/tmp/<print server>/<job-id>
6740759 - lpstat
always reports "Forms allowed: (none)" after making a form available to
printer.
6749323 - lpstat(1)
does not show which host a job was submitted from. 'lpstat -o' does not
display the host information along with the owner of the request.
6723892 - lpstat -p
dumps core when used on queues created with the "-s ipp://" or "-s
lpd://" options.
The stack trace generated is similar to the following:
core 'core' of 20123: /usr/lib/lp/bin/lpstat -p a2
fee93088 strrchr (8046fa0) + 18
fee43ec1 getprinterbyname (8047246, 0) + 16d
fee44b85 service_load (8068470, 8047246) + 49
fee44e08 papiServiceCreate (8047040, 8047246, 0, 0, 8054cec, 1) + a0
08053037 printer_query (8047246, 80526b4, 1, 0, 0) + 2f
08053ddb main (3, 80470e4, 80470f4) + 4cb
08052046 _start (3, 804722c, 8047243, 8047246, 0, 8047249) + 7a
6739383 - Commands
'accept', 'reject', disable', 'enable' do not report status after
execution.
6740079 - 'lpstat -R'
will show no output when run against a valid queue.
6752372 - "lpstat -o"
output fails to show which job is currently being printed. The output
should look like the following but the 'on <printer>' information
is missing:
VSP4720FM-39213
bsnps 343 Jun 18
20:52 on VSP4720FM
6723334 - memory leak
in libpapi will result in increased system memory usage. The cause can
be determined using dtrace(1M) to profile the processes.
6724379 - Crash dump
created when printing using firefox 3 will have a stack trace similar
to the following:
core 'core' of 1153: /usr/lib/firefox/firefox-bin
----------------- lwp# 1 / thread# 1 --------------------
fed0d955 _lwp_kill (1, b) + 15
fecc1592 raise (b) + 22
fcecd20a __1cNnsProfileLockSFatalSignalHandler6Fi_v_ (b, 0, 8045928) + e6
fed0942f __sighndlr (b, 0, 8045928, fcecd124) + f
fecfe5c2 call_user_handler (b, 0, 8045928) + 2bf
fecfe7f6 sigacthandler (b, 0, 8045928) + d0
--- called from signal handler with signal 11 (SIGSEGV) ---
fecb41f0 t_splay (f0c3e054) + 30
fecb40bd t_delete (f0c3e054) + 2d
fecb3dd0 realfree (f0c3ab24) + 60
fecb4433 cleanfree (eef20780) + 5b
fecb3a2e realloc (eef20780, 16) + 59
f67b3836 add_lpd_control_line (804650c, 50, f7465030) + 66
6727979 - Core dump
created when printing to local queues will have a stack trace similar
to the following:
psm-lpsched.so.1'_Free+0x1b
psm-lpsched.so.1'freerequest+0x138
psm-lpsched.so.1'papiJobSubmitByReference+0x24e
libpapi.so.0'_papi_job_submit_reference_or_validate+0x90
libpapi.so.0'papiJobSubmitByReference+0x31
lp'main+0x593
lp'_start+0x7a
6752568 - Using
lpstat(1) -o to display queue data for a printer which has a queue name
that matches the syntax for a job id will result in the following error:
Failed to contact service for <printer>: not-found
6759910 - 'lpstat -D'
does not display (-D) Description. lpstat will not show any printer
descriptions.
6752577 - lpmove(1M)
dumps core with a stack trace similar to the following:
psm-lpsched.so.1`_getmessage+0x137(80af0d0, 20, 8047c6c)
psm-lpsched.so.1`rcv_msg+0x7b(807ddf0, 20, 8047cc8)
psm-lpsched.so.1`papiJobMove+0x10f(807ddf0, 8088eb0, f, 8088d00)
libpapi.so.0`papiJobMove+0x9b(8088f88, 8047ee5, f, 8088d00)
0x80515d2(8088f88, 8047ee5, f, 8047ef2)
main+0x119(2, 8047e14, 8047e24)
_start+0x7a(3, 8047ed4, 8047ee5, 8047ef2, 0, 8047efa)
6759604 - A local
unprivileged user on the lp client can cancel print jobs owned by root,
creating a Denial of Service (DoS) in the print process.
6757330 - Zero byte
print jobs will hang. Other print jobs are not impacted when this
occurs.
6591929 - Passing in a
postscript file to lp via standard input 'cat <postscript-file> |
lp', will cause the printer to print the postscript markup.
6760057 - Output
messages from the accept(1)/reject(1) print commands when using a
remote queue fail to state that accept(1) and reject(1) are not
supported for remote queues. The output shows the following:
accept: <printer>: operation-not-supported
reject: <printer>: operation-not-supported
6746130 - Memory leaks
in libpapi will result in increased system memory usage The cause can
be determined using dtrace(1M) to profile the processes.
6780792 - Print jobs
sent to NIprint print-server software running on Windows systems will
fail to print. lp(1) will complete correctly and a job-id will be
returned but the job will not be printed.
6619120 - lpmove(1)
will dump core when invoked without any parameters when displaying the
usage data.
6761767 - When the 'topq' command is excecuted within the
lpc(1B) shell, lpc
will dump core with a stack trace similar to:
core 'core' of 744: lpc
ff2c1470 atoi (2a058, 25f10, 0, 0, 25b00, 0) + 4
00011e5c ???????? (ffffffff, 25f10, 2, 13400, 24400, 11ab0)
00011f34 ???????? (11ab0, 25f10, 2, 0, 29618, 0)
00011fe8 ???????? (0, 25f10, ffbfeb7c, 2, 25f10, 1)
000121d4 ???????? (0, 25f18, 1, 13400, 134e4, 13400)
00012290 main (0, ffbffd9c, ffbffda4, 25000, 13400, 13400) + 94
00011440 _start (0, 0, 0, 0, 0, 0) + 108
6783023 - Using lpstat -v with no printer name defined, will
coredump with a
stack trace similar to:
ff2b1d50 strlen (14b0d, ffbffd48, ffbfff47, 0, 0, 0) + 50
ff31c4c8 printf (14afc, 27170, 0, 2718e, ff36e308, 14afc) + f4
00011978 ???????? (27620, 2bca8, ffbfff42, 0, 0, 14800)
000129b0 ???????? (0, 11804, 0, 0, 0, 0)
00013738 main (0, ffbffe8c, 27400, 1, 11800, 12a28) + 3ec
000114ec _start (0, 0, 0, 0, 0, 0) + 108
4. Workaround
Removing the affected patches 127127-11 (SPARC platform) or 127128-11
(x86 platform) will resolve these printing issues. However, these
patches fix certain security issues which are not resolved by any other
patch, and as such, this course of action is not recommended.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 10 with patch 140397-11 or later (only for Bugs 6591929,
6619120, 6699255, 6699689, 6720586, 6723892, 6724477, 6737146, 6739383,
6740079, 6740381,
6740759, 6749323, 6752372, 6752568, 6752577, 6757330, 6759604, 6759910,
6761767, 6780792, 6783023)
- Solaris 10 with patch 142909-17 or later (for Bug 6760057)
- OpenSolaris based upon builds snv_119 or later
x86 Platform
- Solaris 10 with patch 139556-08 and patch 141779-05 or later
(only for bugs 6591929, 6619120, 6699255, 6699689, 6720586, 6723892,
6724477, 6737146, 6739383, 6740079, 6740381,
6740759, 6749323, 6752372, 6752568, 6752577, 6757330, 6759604, 6759910,
6761767, 6780792, 6783023)
- Solaris 10 with patch 142910-17 or later (for Bug 6760057)
- OpenSolaris based upon builds snv_119 or later
Note: Bugs 6724379 and
6727979 were never an issue in Solaris 10. These were issues
for OpenSolaris where they were fixed in snv_96.
A final resolution is pending completion for the remaining Bugs in
Solaris 10 (6746130, 6723334).
Modification History
18-Dec-2008: Updated Impact, Contributing Factors and Workaround
sections
15-Jun-2009: Added Security criteria and updated Impact and Symptoms
for BugID 6759604
08-Sep-2009: Updated BugIDs, Impact, Contributing Factors, Symptoms,
Workaround, and Resolution sections
05-Nov-2010: Updated Resolution for Solaris 10 patches for BugID 6760057
References
SUNPATCH: 140397-11
SUNPATCH: 142909-17
SUNPATCH: 139556-08
SUNPATCH: 141779-05
SUNPATCH: 142910-17
AttachmentsThis solution has no attachment