liblcms1: CVE-2013-4276: Buffer overflows in Little CMS v1.19

Debian Bug report logs - #718682
liblcms1: CVE-2013-4276: Buffer overflows in Little CMS v1.19

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pedro R <pedrib@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: liblcms1: Buffer overflows in Little CMS v1.19

Date: Sun, 04 Aug 2013 10:35:46 +0100

[Message part 1 (text/plain, inline)]

Package: liblcms1
Version: 1.19
Severity: grave
Tags: upstream security patch
Justification: user security hole

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in
the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people
concerned about security should update to Little CMS v2". To be honest I think
it's a reasonable answer since he has stopped supporting lcms-1 in 2009.
However this appears to be a package that is still widely in use in several
distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile
tested but I did not do any test beyond that. Please note that I am sending
this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory,
please credit Pedro Ribeiro (pedrib@gmail.com).

Note that I have contacted the security team and was instructed to report this
bug here.

Regards,
Pedro



-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (750, 'stable'), (650, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.7.1-botto-secfixes3-grsec+ (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

[lcms-1.19-b0f.patch (text/x-diff, attachment)]

Message #10 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Pedro R <pedrib@gmail.com>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Sun, 4 Aug 2013 12:08:01 +0200

[Message part 1 (text/plain, inline)]

Hi Pedro,

thank you for reporting this security issue.

On 2013-08-04 10:35:46, Pedro R wrote:
> diff -urb lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg-patched/samples/icctrans.c
> --- lcms-1.19.dfsg/samples/icctrans.c	2009-10-30 15:57:45.000000000 +0000
> +++ lcms-1.19.dfsg-patched/samples/icctrans.c	2013-08-04 10:31:36.608445149 +0100
> @@ -500,7 +500,7 @@
>  
>      Prefix[0] = 0;
>      if (!lTerse)
> -        sprintf(Prefix, "%s=", C);
> +        snprintf(Prefix, 20, "%s=", C);
>  
>      if (InHexa)
>      {
> @@ -648,7 +648,9 @@
>  static
>  void GetLine(char* Buffer)
>  {    
> -    scanf("%s", Buffer);
> +    size_t Buffer_size = sizeof(Buffer);
> +    fgets(Buffer, (Buffer_size - 1), stdin);
> +    sscanf("%s", Buffer);

This sscanf call is wrong and introduces a format string vulnerability.
sscanf's signature is int sscanf(const char* str, const char* fmt, ...)
where str is used as input and format is the second argument.

Regards
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Pedro Ribeiro <pedrib@gmail.com>

To: Sebastian Ramacher <sramacher@debian.org>

Cc: 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Mon, 5 Aug 2013 12:34:43 +0100

[Message part 1 (text/plain, inline)]

Thanks Sebastian.

Shameful that to fix one I introduced another...

Regards
Pedro
On Aug 4, 2013 11:08 AM, "Sebastian Ramacher" <sramacher@debian.org> wrote:

> Hi Pedro,
>
> thank you for reporting this security issue.
>
> On 2013-08-04 10:35:46, Pedro R wrote:
> > diff -urb lcms-1.19.dfsg/samples/icctrans.c
> lcms-1.19.dfsg-patched/samples/icctrans.c
> > --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000
> > +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-04
> 10:31:36.608445149 +0100
> > @@ -500,7 +500,7 @@
> >
> >      Prefix[0] = 0;
> >      if (!lTerse)
> > -        sprintf(Prefix, "%s=", C);
> > +        snprintf(Prefix, 20, "%s=", C);
> >
> >      if (InHexa)
> >      {
> > @@ -648,7 +648,9 @@
> >  static
> >  void GetLine(char* Buffer)
> >  {
> > -    scanf("%s", Buffer);
> > +    size_t Buffer_size = sizeof(Buffer);
> > +    fgets(Buffer, (Buffer_size - 1), stdin);
> > +    sscanf("%s", Buffer);
>
> This sscanf call is wrong and introduces a format string vulnerability.
> sscanf's signature is int sscanf(const char* str, const char* fmt, ...)
> where str is used as input and format is the second argument.
>
> Regards
> --
> Sebastian Ramacher
>

[Message part 2 (text/html, inline)]

Message #20 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Pedro Ribeiro <pedrib@gmail.com>

To: Sebastian Ramacher <sramacher@debian.org>

Cc: 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Mon, 5 Aug 2013 18:46:00 +0100

[Message part 1 (text/plain, inline)]

Hi Sebastian,

sorry again for that fail. Here is the correct patch.

Regards,
Pedro

[Message part 2 (text/html, inline)]

[lcms-1.19-b0f-v2.patch (application/octet-stream, attachment)]

Message #25 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Pedro Ribeiro <pedrib@gmail.com>

To: Alan Coopersmith <alan.coopersmith@oracle.com>

Cc: Sebastian Ramacher <sramacher@debian.org>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Tue, 6 Aug 2013 01:00:24 +0100

[Message part 1 (text/plain, inline)]

Thanks for that Alan - I had no idea, and have been looking at lots of C
code lately that has probably has the same mistakes. I will keep an eye on
that.

Ok this patch is turning into a trainwreck - to everyone please be careful
when applying it.
Actually my original idea was more to point to the vulnerabilities that to
actually provide a working patch, but since lcms1 is not maintained
actively any more I decided to produce this. I guess in the future I will
say any patches I send are "provided only an example" and should not be
applied direclty..

Regards,
Pedro

Kind regards,

*Pedro Ribeiro*
Information Security Consultant
Professional Bug Hunter


On 6 August 2013 00:35, Alan Coopersmith <alan.coopersmith@oracle.com>wrote:

>  void GetLine(char* Buffer)
>>  {
>> -    scanf("%s", Buffer);
>> +    size_t Buffer_size = sizeof(Buffer);
>> +    fgets(Buffer, (Buffer_size - 1), stdin);
>> +    sscanf(Buffer,"%s");
>>
>
> sizeof() in the C language does not reach through a pointer to find the
> size of
> the underlying object - that code will always set Buffer_size to the size
> of
> the pointer itself (4 bytes on 32-bit, 8 bytes on 64-bit), not the size of
> the
> buffer the pointer is pointing to.
>
> [Noticed when someone suggested we apply the patch from Debian to our
> packages
>  as well.]
>
> --
>         -Alan Coopersmith-              alan.coopersmith@oracle.com
>          Oracle Solaris Engineering - http://blogs.oracle.com/alanc
>

[Message part 2 (text/html, inline)]

Message #30 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Alan Coopersmith <alan.coopersmith@oracle.com>

To: Pedro Ribeiro <pedrib@gmail.com>

Cc: Sebastian Ramacher <sramacher@debian.org>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Mon, 05 Aug 2013 16:35:02 -0700

>  void GetLine(char* Buffer)
>  {
> -    scanf("%s", Buffer);
> +    size_t Buffer_size = sizeof(Buffer);
> +    fgets(Buffer, (Buffer_size - 1), stdin);
> +    sscanf(Buffer,"%s");

sizeof() in the C language does not reach through a pointer to find the size of
the underlying object - that code will always set Buffer_size to the size of
the pointer itself (4 bytes on 32-bit, 8 bytes on 64-bit), not the size of the
buffer the pointer is pointing to.

[Noticed when someone suggested we apply the patch from Debian to our packages
 as well.]

-- 
	-Alan Coopersmith-              alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Message #35 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Alan Coopersmith <alan.coopersmith@oracle.com>

To: Pedro Ribeiro <pedrib@gmail.com>

Cc: Sebastian Ramacher <sramacher@debian.org>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Mon, 05 Aug 2013 18:26:38 -0700

On 08/ 5/13 05:00 PM, Pedro Ribeiro wrote:
> Thanks for that Alan - I had no idea, and have been looking at lots of C code
> lately that has probably has the same mistakes. I will keep an eye on that.

More details/deeper explanations of when sizeof can and cannot work can be
found in:

https://www.securecoding.cert.org/confluence/display/seccode/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array

https://en.wikibooks.org/wiki/C_Programming/Pointers_and_arrays#sizeof

-- 
	-Alan Coopersmith-              alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Message #40 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Alan Coopersmith <alan.coopersmith@oracle.com>

To: Pedro Ribeiro <pedrib@gmail.com>

Cc: Sebastian Ramacher <sramacher@debian.org>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Mon, 05 Aug 2013 21:13:23 -0700

On 08/ 5/13 04:35 PM, Alan Coopersmith wrote:
>> +    fgets(Buffer, (Buffer_size - 1), stdin);
>> +    sscanf(Buffer,"%s");

Oops, forgot to mention the sscanf is still wrong in this second revision.
This code now reads a line from stdin and writes it to Buffer.  The sscanf
now takes Buffer as input, looks for a string pattern matching %s and writes
it to, well, whatever the random uninitialized value is next on the stack,
because there is no output argument provided for the %s.   Fortunately,
gcc -Wformat should find this and error out before anyone ships it.

Of course, since this is used in a function that expects the string to be
returned in Buffer, having sscanf read from Buffer and write the result
somewhere else is also counterproductive.

-- 
	-Alan Coopersmith-              alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Message #45 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Pedro Ribeiro <pedrib@gmail.com>

To: Alan Coopersmith <alan.coopersmith@oracle.com>

Cc: Sebastian Ramacher <sramacher@debian.org>, 718682@bugs.debian.org

Subject: Re: Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19

Date: Tue, 6 Aug 2013 13:53:46 +0100

[Message part 1 (text/plain, inline)]

Thanks again for the feedback Alan.

I have uploaded the newer version of the patch to the redhat bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=991757#attach_783274

I had to create an intermediate buffer...

[Message part 2 (text/html, inline)]

Message #50 received at 718682@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 718682@bugs.debian.org

Subject: CVE name assigned

Date: Thu, 22 Aug 2013 08:46:42 +0200

Hi,

This is CVE-2013-4276. Please mention it in your changelog when fixing the
issue.


Thijs

Message #57 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@coldtobi.de>

To: Debian Bug Tracking System <718682@bugs.debian.org>

Subject: Re: liblcms1: CVE-2013-4276: Buffer overflows in Little CMS v1.19

Date: Thu, 27 Mar 2014 12:02:11 +0100

[Message part 1 (text/plain, inline)]

Package: liblcms1
Followup-For: Bug #718682

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, 
I'm currently preparing a NMU for this package.
To fix this issue, I will use the attached patch.
Its taken from:

https://build.opensuse.org/package/view_file/openSUSE:Evergreen:11.2:Test/lcms/CVE-2013-4276.patch#

- -- 
Tobias Frost

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTNAUxAAoJEJFk+h0XvV02rhgQAKTwhHtRN/9Ku4tjQRP9UC7h
huM2qrRh4PqT851XCDK8RES9qrQNUDcuwzYtfUxVB5yjPgJGNxnli4rnkMp3BaEV
wDP781PU52u7/D+xVnWQShL7wERAiJKrJY3y//x8v1U7/VMM0RtPXaFEZC2o1+rE
xxZDQFRQtGSRc95HiVn/5p5ItD7R0tX69bzPlczJHJcd8lGe2Lf7PlhzfqYNie0r
dW1ZkLtVzjfqRLaTHap0z8QMEnb0cRgIFf+CWi94UNZp6obasiSSQ0n4Q+GcHMPq
sGGbBfYWWXTWg9FyFg7TVAGnn/6ILH7XBCv7Agh443nUsZpCY/1ruAs1POe0Rs6H
DY4UkyrxR0B+GYDKgPnep75rxRO3yryO856rctVBFucxnasuQwxdnRTZ/tvdKL+5
EOp6AM5MCKibcw68xN7AP/2rxF9TxS1HrNBdScST2gZyTvPhdOIU3MO3dfUuXg7G
NV/4xL/MXXYCdTUhHAJ+erkEB1R9iGasZ++48Qpszgmf86CSL5UMRx+y2QAGGpQz
FOzW46k0/nVrH2iNaunwOADlAE/DjFSJiBOhfmLtvyGdhb39bYiu6ShVP/i/AfTs
fA7ss0hfTtmxCWgzpJduKJkxuSPXIwGTUTPL2V/dBw/n2uAjDWnYBjh4JDJx4dAV
RnvcVGqrZKnJ3co5Ksyn
=0DVy
-----END PGP SIGNATURE-----

[liblcms-718682.patch (text/x-diff, attachment)]

Message #62 received at 718682@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@coldtobi.de>

To: Oleksandr Moskalenko <malex@debian.org>

Cc: Thijs Kinkhorst <thijs@debian.org>, 718682@bugs.debian.org, 736806@bugs.debian.org, 728208@bugs.debian.org

Subject: Intending to NMU lcms (Version 1)

Date: Thu, 27 Mar 2014 12:33:59 +0100

[Message part 1 (text/plain, inline)]

Hallo Oleksandr,

I just saw that you have a LowNMU policy, but you'd like to be contacted
before doing the actual NMU. 

Well, I'm currently preparing a NMU for the lcms* to fix some CVE and a 
fatal lintian error. Please feel

(* I'm talking about the "old" lcms-1, not the lcms2 ... just to avoid
confusion)

Please note that I cannot upload the NMU by myself, so I will ask my AM,
Thijs Kinkhorst (CC'ed) to put the upload into DELAYED/8 if he approves
(and you not vetoing).
I've choosen DELAYED/8 because I will be away from computers starting
tomorrow for a week, and I'd like to be available when the package
enters the queue. 
 

This is the current changelog for the intended NMU:

lcms (1.19.dfsg1-1.3) unstable; urgency=medium

  * Non-maintainer upload.
  * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682)
  * Repack orig-source to remove non-dfsg free color profiles. This is
    necessary as the resulting lintian error
    license-problem-md5sum-non-free-file would lead to an autoreject
    (Closes: #736806).
  * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes:
#728208)

 -- Tobias Frost <tobi@coldtobi.de>  Thu, 27 Mar 2014 12:20:24 +0100

I already attached the patches I will use for the CVS's to the BTS,
but of course I will also send an complete nmudiff later to the BTS.


Best regards,

-- 
Tobi

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 718682-close@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@coldtobi.de>

To: 718682-close@bugs.debian.org

Subject: Bug#718682: fixed in lcms 1.19.dfsg1-1.3

Date: Sat, 05 Apr 2014 09:25:09 +0000

Source: lcms
Source-Version: 1.19.dfsg1-1.3

We believe that the bug you reported is fixed in the latest version of
lcms, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 718682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@coldtobi.de> (supplier of updated lcms package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Mar 2014 12:20:24 +0100
Source: lcms
Binary: liblcms1 liblcms-utils liblcms1-dev python-liblcms
Architecture: source amd64
Version: 1.19.dfsg1-1.3
Distribution: unstable
Urgency: medium
Maintainer: Oleksandr Moskalenko <malex@debian.org>
Changed-By: Tobias Frost <tobi@coldtobi.de>
Description: 
 liblcms-utils - Little CMS color management library utilities
 liblcms1   - Little CMS color management library
 liblcms1-dev - Litle CMS color management library development headers
 python-liblcms - Python bindings for Little CMS color management library
Closes: 718682 728208 736806
Changes: 
 lcms (1.19.dfsg1-1.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682)
   * Repack orig-source to remove non-dfsg free color profiles. This is
     necessary as the resulting lintian error
     license-problem-md5sum-non-free-file would lead to an autoreject
     (Closes: #736806).
   * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes: #728208)
Checksums-Sha1: 
 73f7ed36593422c36cbb71e1ae827331356a23ad 1690 lcms_1.19.dfsg1-1.3.dsc
 7d9b2f61d3031ae768179be88185734c9ace7771 918019 lcms_1.19.dfsg1.orig.tar.gz
 4b181057fbaab19cfbbc2f129180a119cea9eade 40189 lcms_1.19.dfsg1-1.3.diff.gz
 4840dd2cc1e0780cc8df88175b765537f4558641 95898 liblcms1_1.19.dfsg1-1.3_amd64.deb
 4d4e87a41d8672d3834defe264574667993ba376 47064 liblcms-utils_1.19.dfsg1-1.3_amd64.deb
 7a34e445b879cba1910b24bf367917b16dd163bb 165368 liblcms1-dev_1.19.dfsg1-1.3_amd64.deb
 aaa86043e8770da0dcf6ce0c3ce670beeb703adf 115368 python-liblcms_1.19.dfsg1-1.3_amd64.deb
Checksums-Sha256: 
 4e6cdc1a62981b8595250998ef012b701a333430c93fb13875b2658427a85c96 1690 lcms_1.19.dfsg1-1.3.dsc
 c538a2190ba5d739eb1bbe85d4eb278acb47ee82a37afdfaf538f042f7652faf 918019 lcms_1.19.dfsg1.orig.tar.gz
 844ff561cbda6ee16ae9ae5571b66c1af1a37350c0437a937e097e78d3dbb2d4 40189 lcms_1.19.dfsg1-1.3.diff.gz
 c6527729cc09cabd40be92a664cd9bd9cb78cea65707749c98123a22aa0d48a1 95898 liblcms1_1.19.dfsg1-1.3_amd64.deb
 54f27f645e0bb5d11afcc58a900d92524c7a01c5875ab37f29cdfdafbb3d224a 47064 liblcms-utils_1.19.dfsg1-1.3_amd64.deb
 c537252ed8438c74e32d881990cd7fa60ad74d6344597bc6ddb73292ca86497d 165368 liblcms1-dev_1.19.dfsg1-1.3_amd64.deb
 c36ad98cafc77d872575119bf848a1ef348e009d43a12a0f13342d8b0e5fb678 115368 python-liblcms_1.19.dfsg1-1.3_amd64.deb
Files: 
 90ae46b835128c6436cf44e8ce6160f9 1690 libs optional lcms_1.19.dfsg1-1.3.dsc
 eb1090e0710c5bec27579ea13ef432b4 918019 libs optional lcms_1.19.dfsg1.orig.tar.gz
 46323e563ced0d811038ec76b1e3e6e2 40189 libs optional lcms_1.19.dfsg1-1.3.diff.gz
 7e089ecef874785821946d2726669709 95898 libs optional liblcms1_1.19.dfsg1-1.3_amd64.deb
 3adfccbbd3237bf4354d0965d8f9fa9a 47064 utils optional liblcms-utils_1.19.dfsg1-1.3_amd64.deb
 04e08d91d63ff8f15cd144755493f9c9 165368 libdevel optional liblcms1-dev_1.19.dfsg1-1.3_amd64.deb
 40095e33d315b01c09cc2be2fec909a6 115368 python optional python-liblcms_1.19.dfsg1-1.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTNSp8AAoJEFb2GnlAHawEoNMH/jdmxVa0BMdYY2wv4t0xHMzc
BZjIRKE2NJhIxrPuTambWfAtn4zFYh4UKyK/3lXbzWswAT08pMDYIKjmTMPr0QxM
3zHyRKW4ReOLhCQnNf0XSe8kSRMHJaqU0FhGTvv3uzDcjpgEjKW3UgfyZcQ5aA+R
1ReCqs2sF2kM0TRXPSjlg7se/noe0b8RQIUBBpRzBvY1rfyEHE3hOo9Quhr3khmv
lL2YuHRy9zBzHa0595dbhnWqyyurDGJ3J234KiiXaY7wfGy9fvAqhHB4GC24kfLk
uE022kiXTLv0WbEG7od5ru2dxA8g4EAXXQvztHzb9+fmvWaSH9UWiKDEq71rGjA=
=rlkh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.