Part II - Multiple Printing Regressions in Solaris 10 Kernel Patches 127127-11 and 127128-11

---

Part II - Multiple Printing Regressions in Solaris 10 Kernel Patches 127127-11 and 127128-11

1. Impact

Solaris 10 kernel patches 127127-11 (SPARC platform) or 127128-11 (x86 platform) introduce multiple printing regressions as listed below.

Note that these issues are in addition to the ones already identified in Sun Alert 241426, available at  http://sunsolve.sun.com/search/document.do?assetkey=1-66-241426-1

6699689 - Using the -D option to lpadmin(1M) corrupts '/etc/printers.conf' and leads lpstat(1) to core dump after which printing is no longer possible.

6740381 - 'lpstat -o' no longer reports status for remote Windows printers.

6699255 - After installation of KU 127127/127128-11, printing is no longer possible if print server and client have different KU revision.

6720586 - "nobanner" entry gets added to request when lp(1) is invoked with the -i <request-id> to change print request options.

6724477 - The command "cancel <queuename>" causes a segmentation fault when used to cancel the first job on a remote queue.

6737146 - Unprivileged users cannot place a hold on "print -" requests when using the -H switch with l(1).

6740759 - lpstat(1) always reports "Forms allowed: (none)" after making a form (lpforms(1M)) available to the printer.

6749323 - It is not possible to determine from the output from lpstat(1) which host a job was submitted from.

6723892 - 'lpstat -p' dumps core when queues are created with the "-s ipp://" or "-s lpd://" options. This issue only occurs when the required fields are not specified. Supplying valid field data ensures this does not occur.

6739383 - print commands accept(1M), reject(1), enable(1), disable(1) do not report status after execution. This has minimal impact as although the status is not reported, the commands complete correctly. This can be verified via "lpstat -lp".

6740079 - "lpstat -R" does not show queued jobs, so it is not possible to tell the order in which jobs will be printed.

6752372 - The output from "lpstat -o" is incorrect and so it is not possible to find which job is currently being printed.

6723334 - There is a slow memory leak in the libpapi library. This could result in a system-wide resource shortage.

6724379 - Printing from FireFox 3 is not possible. Attempts to print using the FireFox 3 application will crash in papiJobStreamOpen.

6727979 - Printing to local queues is not be possible due to memory corruption in psm-lpsched.so which will core dump.

6752568 - Using "lpstat -o" to display queue data for a printer which has a queue name that matches the syntax for a job id is not possible.

For example, if a job id is defined as : <printer name>-<#>, i.e: hplaser-1 whereby 'hplaser' is the printer, and '1' is the job-id. If a printer is added with a name that matches the job-format "hplaser-1", then 'lpstat -o hplaser-1' will be treated as a job id rather than a printer id and will fail.
6759910 - lpstat(1) cannot display (-D) Description, but this does not affect print jobs.

6752577 - lpmove(1M) dumps core after moving a print job. Print jobs will be processed correctly, however each time lpmove is executed, a core file will be created.

6759604 - A local unprivileged user on the lp client can cancel print jobs owned by root, creating a Denial of Service (DoS) in the print process.

6757330 - Zero byte print jobs will hang. Other print jobs are not impacted when this occurs.

6591929 - Passing in a postscript file to lp via standard input (using the command like '$ cat <postscript-file> | lp)', will cause the printer to print the postscript markup version of the file. Drivers such as ljet and hpijs use this command format and are therefore impacted by this issue. Note that 'lp <postscript-file>' is not impacted by this issue.

6760057 - accept(1M), reject(1) commands are not supported for remote printer queues. Using these commands on remote printers fails but the error message generated omits the reason why the command is not working (not supported).

6746130 - more memory leaks in the libpapi library. This could result in a system-wide resource shortage.

6780792 - Print jobs sent to NIprint print-server software on Windows systems will not be processed and will never print.

6619120 - lpmove(1M) dumps core if it is invoked without using any paramaters as in the case when displaying the command usage data. Users may instead refer to the man page for usage details to work around this issue.

6761767 - '/usr/ucb/lpc topq' (see lpc(1B)), fails to move the specified print jobs to the top of the print queue.  Instead it will dump core.

6783023 - lpstat -v dumps core if there is no printer name defined in /etc/printers.conf.

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform:

• Solaris 10 with patch 127127-11
• OpenSolaris based upon builds snv_44 or later

x86 Platform:

• Solaris 10 with patch 127128-11
• OpenSolaris based upon builds snv_44 or later

Notes:
1. Solaris 8 and 9 are not impacted by this issue.

2. 6724379 does not affect Sol 10; only OpenSolaris is affected by this issue.

3. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:

$ uname -v
snv_86

3. Symptoms

The symptoms of each issue are as listed below:

6699689 - Examining '/etc/printers.conf' will show that the destination field in the 'bsdaddr' line is blank after adding a description.

6740381 - 'lpstat -o <queue residing on MS Windows server>' will return no output, even when jobs are resident on the queue.

6699255 - 'lpstat -o <queue>' will return a different request-id to that returned from lp(1) during request submission.

6720586 - After passing the -i switch to lp(1), the output from:

/var/spool/lp/tmp/<print server>/<job-id>

will contain the text:

nobanner

6724477 - cancel(1) will suffer a segmentation fault, a stack trace from the core will be similar to the following:

ff25276c papiAttributeListFind (0, 245e4, 245e4, ffbffbec, ff396000, 6c706400) + 18
ff252878 papiAttributeListGetValue (0, ffbffb14, 245e4, 1, ffbffb7c, ffbffcdc) + 5c
ff25296c papiAttributeListGetInteger (6c706400, 0, 245e4, ffbffbec, ff396000, 13c7c) + 2c
00012aac cancel_job (25b68, 24a00, ffbffe1d, 25c80, 0, ffbffcdc) + 6c
00012fd8 berkeley_cancel_request (25b68, 24a00, ffbffe1d, 0, ffbffcdc, 29) + 158
00011fe4 main     (2, ffbffd6c, ffbffd78, 24400, ff3600c0, ff360100) + 43c
000118b8 _start   (0, 0, 0, 0, 0, 0) + 108

6737146 - After placing a hold on a print request, the 'Hold' keyword will not be present in:

/var/spool/lp/tmp/<print server>/<job-id>

6740759 - lpstat always reports "Forms allowed: (none)" after making a form available to printer.

6749323 - lpstat(1) does not show which host a job was submitted from. 'lpstat -o' does not display the host information along with the owner of the request.

6723892 - lpstat -p dumps core when used on queues created with the "-s ipp://" or "-s lpd://" options.

The stack trace generated is similar to the following:

core 'core' of 20123:   /usr/lib/lp/bin/lpstat -p a2
fee93088 strrchr  (8046fa0) + 18
fee43ec1 getprinterbyname (8047246, 0) + 16d
fee44b85 service_load (8068470, 8047246) + 49
fee44e08 papiServiceCreate (8047040, 8047246, 0, 0, 8054cec, 1) + a0
08053037 printer_query (8047246, 80526b4, 1, 0, 0) + 2f
08053ddb main     (3, 80470e4, 80470f4) + 4cb
08052046 _start   (3, 804722c, 8047243, 8047246, 0, 8047249) + 7a

6739383 - Commands 'accept', 'reject', disable', 'enable' do not report status after execution.

6740079 - 'lpstat -R' will show no output when run against a valid queue.

6752372 - "lpstat -o" output fails to show which job is currently being printed. The output should look like the following but the 'on <printer>' information is missing:


6723334 - memory leak in libpapi will result in increased system memory usage. The cause can be determined using dtrace(1M) to profile the processes.

6724379 - Crash dump created when printing using firefox 3 will have a stack trace similar to the following:

core 'core' of 1153:    /usr/lib/firefox/firefox-bin
-----------------  lwp# 1 / thread# 1  --------------------
fed0d955 _lwp_kill (1, b) + 15
fecc1592 raise    (b) + 22
fcecd20a __1cNnsProfileLockSFatalSignalHandler6Fi_v_ (b, 0, 8045928) + e6
fed0942f __sighndlr (b, 0, 8045928, fcecd124) + f
fecfe5c2 call_user_handler (b, 0, 8045928) + 2bf
fecfe7f6 sigacthandler (b, 0, 8045928) + d0
--- called from signal handler with signal 11 (SIGSEGV) ---
fecb41f0 t_splay  (f0c3e054) + 30
fecb40bd t_delete (f0c3e054) + 2d
fecb3dd0 realfree (f0c3ab24) + 60
fecb4433 cleanfree (eef20780) + 5b
fecb3a2e realloc  (eef20780, 16) + 59
f67b3836 add_lpd_control_line (804650c, 50, f7465030) + 66

6727979 - Core dump created when printing to local queues will have a stack trace similar to the following:

psm-lpsched.so.1'_Free+0x1b
psm-lpsched.so.1'freerequest+0x138
psm-lpsched.so.1'papiJobSubmitByReference+0x24e
libpapi.so.0'_papi_job_submit_reference_or_validate+0x90
libpapi.so.0'papiJobSubmitByReference+0x31
lp'main+0x593
lp'_start+0x7a

6752568 - Using lpstat(1) -o to display queue data for a printer which has a queue name that matches the syntax for a job id will result in the following error:

Failed to contact service for <printer>: not-found

6759910 - 'lpstat -D' does not display (-D) Description. lpstat will not show any printer descriptions.

6752577 - lpmove(1M) dumps core with a stack trace similar to the following:

psm-lpsched.so.1`_getmessage+0x137(80af0d0, 20, 8047c6c)
psm-lpsched.so.1`rcv_msg+0x7b(807ddf0, 20, 8047cc8)
psm-lpsched.so.1`papiJobMove+0x10f(807ddf0, 8088eb0, f, 8088d00)
libpapi.so.0`papiJobMove+0x9b(8088f88, 8047ee5, f, 8088d00)
0x80515d2(8088f88, 8047ee5, f, 8047ef2)
main+0x119(2, 8047e14, 8047e24)
_start+0x7a(3, 8047ed4, 8047ee5, 8047ef2, 0, 8047efa)

6759604 - A local unprivileged user on the lp client can cancel print jobs owned by root, creating a Denial of Service (DoS) in the print process.

6757330 - Zero byte print jobs will hang. Other print jobs are not impacted when this occurs.

6591929 - Passing in a postscript file to lp via standard input 'cat <postscript-file> | lp', will cause the printer to print the postscript markup.

6760057 - Output messages from the accept(1)/reject(1) print commands when using a remote queue fail to state that accept(1) and reject(1) are not supported for remote queues. The output shows the following:

accept: <printer>: operation-not-supported   
reject: <printer>: operation-not-supported

6746130 - Memory leaks in libpapi will result in increased system memory usage The cause can be determined using dtrace(1M) to profile the processes.

6780792 - Print jobs sent to NIprint print-server software running on Windows systems will fail to print. lp(1) will complete correctly and a job-id will be returned but the job will not be printed.

6619120 - lpmove(1) will dump core when invoked without any parameters when displaying the usage data.

6761767 - When the 'topq' command is excecuted within the lpc(1B) shell, lpc will dump core with a stack trace similar to:

core 'core' of 744:     lpc
ff2c1470 atoi     (2a058, 25f10, 0, 0, 25b00, 0) + 4
00011e5c ???????? (ffffffff, 25f10, 2, 13400, 24400, 11ab0)
00011f34 ???????? (11ab0, 25f10, 2, 0, 29618, 0)
00011fe8 ???????? (0, 25f10, ffbfeb7c, 2, 25f10, 1)
000121d4 ???????? (0, 25f18, 1, 13400, 134e4, 13400)
00012290 main     (0, ffbffd9c, ffbffda4, 25000, 13400, 13400) + 94
00011440 _start   (0, 0, 0, 0, 0, 0) + 108

6783023 - Using lpstat -v with no printer name defined, will coredump with a stack trace similar to:

ff2b1d50 strlen   (14b0d, ffbffd48, ffbfff47, 0, 0, 0) + 50
ff31c4c8 printf   (14afc, 27170, 0, 2718e, ff36e308, 14afc) + f4
00011978 ???????? (27620, 2bca8, ffbfff42, 0, 0, 14800)
000129b0 ???????? (0, 11804, 0, 0, 0, 0)
00013738 main     (0, ffbffe8c, 27400, 1, 11800, 12a28) + 3ec
000114ec _start   (0, 0, 0, 0, 0, 0) + 108

4. Workaround

Removing the affected patches 127127-11 (SPARC platform) or 127128-11 (x86 platform) will resolve these printing issues. However, these patches fix certain security issues which are not resolved by any other patch, and as such, this course of action is not recommended.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 140397-11 or later (only for bugs 6591929, 6619120, 6699255, 6699689, 6720586, 6723892, 6724477, 6737146, 6739383, 6740079, 6740381, 6740759, 6749323, 6752372, 6752568, 6752577, 6757330, 6759604, 6759910, 6761767, 6780792, 6783023)
  
• OpenSolaris based upon builds snv_119 or later
  

x86 Platform

• Solaris 10 with patch 139556-08 and patch 141779-05 or later (only for bugs 6591929, 6619120, 6699255, 6699689, 6720586, 6723892, 6724477, 6737146, 6739383, 6740079, 6740381, 6740759, 6749323, 6752372, 6752568, 6752577, 6757330, 6759604, 6759910, 6761767, 6780792, 6783023)
  
• OpenSolaris based upon builds snv_119 or later

Note:  Bugs 6724379 and 6727979 were never an issue in Solaris 10. These were issues for OpenSolaris where they were fixed in snv_96.

A final resolution is pending completion for the remaining Bugs in Solaris 10 (6760057, 6746130, 6723334).

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History

18-Dec-2008: Updated Impact, Contributing Factors and Workaround sections
15-Jun-2009: Added Security criteria and updated Impact and Symptoms for BugID 6759604
08-Sep-2009: Updated BugIDs, Impact, Contributing Factors, Symptoms, Workaround, and Resolution sections

Attachments

This solution has no attachment