Hi Vincent,

Quoting Vincent Lefevre (2025-01-30 02:44:41)
> On 2025-01-28 16:05:13 +0100, Johannes Schauer Marin Rodrigues wrote:
> > I can confirm this issue with mailgraph on our systems. This makes mailgraph
> > completely unusable, thus raising the severity to RC. Here is an example of 
> > an
> > anonymized log snippet which fails:
> > 
> > 2025-01-28T14:12:33.468866+01:00 email imapd: LOGIN, user=, ip=[::ffff:], 
> > port=[61585], protocol=IMAP
> > 2025-01-28T14:12:37.980934+01:00 email imapd: Connection, ip=[::ffff:], 
> > port=[50131]
> > 2025-01-28T14:12:38.404263+01:00 email imapd: LOGIN, user=, 
> > ip=[::ffff:31.16.250.164], port=[50131], protocol=IMAP
> > 2025-01-28T14:13:28.289022+01:00 email postfix/smtpd[92141]: connect from 
> > unknown[]
> > 2025-01-28T14:13:28.349994+01:00 email postfix/smtpd[92141]: disconnect 
> > from unknown[] ehlo=1 auth=0/1 quit=1
> 
> I don't understand. This seems to be the same date format as on
> bookworm. For instance, on my machine:
> 
> 2025-01-30T02:41:37.887175+01:00 joooj postfix/smtp[310973]: [...]
> 
> This was fixed there:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051496

lets look at some reproducers. For easier copypasting of the multiline log
snippet into a shell one-liner I'm converting my example snippet from above to
the following gzipped base64 representation:

echo 
H4sICIztmGcAA2xvZwCVjz1PwzAQQPf+ittJXd/ZMbYlD6gDqsTXwBZliPKhWiR2mjiCn0+BCRoJuOV0y3v3iFO+5bgl/YzSIlkhmFRaK3XF0XIO7VD5HvxQjY2Fu8fbw0MGy9xOLgM/usLa7jy2zGCMU3KFwlznH9cUU6xj7w73N08burBcM6O5EXLNso8htHXyMaw7co4CyxWoZpJLUuJfrwtkqBjl/LzkD8cvHcKSZqQNJ/qmHOOcOv+2m4c0NoUhlFhaqL+yoJviAEt4CfE1FBcZn0whjTHyD8zGz+tYaI99dAjVko6O7xBOi08ON++wHLyi8AEAAA==
 | base64 -d | gzip -cd
2025-01-28T14:12:33.468866+01:00 email imapd: LOGIN, user=, ip=[::ffff:], 
port=[61585], protocol=IMAP
2025-01-28T14:12:37.980934+01:00 email imapd: Connection, ip=[::ffff:], 
port=[50131]
2025-01-28T14:12:38.404263+01:00 email imapd: LOGIN, user=, 
ip=[::ffff:31.16.250.164], port=[50131], protocol=IMAP
2025-01-28T14:13:28.289022+01:00 email postfix/smtpd[92141]: connect from 
unknown[]
2025-01-28T14:13:28.349994+01:00 email postfix/smtpd[92141]: disconnect from 
unknown[] ehlo=1 auth=0/1 quit=1

First lets try the log snippet above with mailgraph from bookworm:

mmdebstrap --include=mailgraph \
    --customize-hook='echo 
H4sICIztmGcAA2xvZwCVjz1PwzAQQPf+ittJXd/ZMbYlD6gDqsTXwBZliPKhWiR2mjiCn0+BCRoJuOV0y3v3iFO+5bgl/YzSIlkhmFRaK3XF0XIO7VD5HvxQjY2Fu8fbw0MGy9xOLgM/usLa7jy2zGCMU3KFwlznH9cUU6xj7w73N08burBcM6O5EXLNso8htHXyMaw7co4CyxWoZpJLUuJfrwtkqBjl/LzkD8cvHcKSZqQNJ/qmHOOcOv+2m4c0NoUhlFhaqL+yoJviAEt4CfE1FBcZn0whjTHyD8zGz+tYaI99dAjVko6O7xBOi08ON++wHLyi8AEAAA==
 | base64 -d | gzip -cd > "$1"/log' \
    --chrooted-customize-hook='mailgraph --logfile /log --cat' bookworm 
/dev/null

This will result in the following output:

WARNING: line not in syslog format: 2025-01-28T14:12:33.468866+01:00 email 
imapd: LOGIN, user=, ip=[::ffff:], port=[61585], protocol=IMAP
WARNING: line not in syslog format: 2025-01-28T14:12:37.980934+01:00 email 
imapd: Connection, ip=[::ffff:], port=[50131]
WARNING: line not in syslog format: 2025-01-28T14:12:38.404263+01:00 email 
imapd: LOGIN, user=, ip=[::ffff:31.16.250.164], port=[50131], protocol=IMAP
WARNING: line not in syslog format: 2025-01-28T14:13:28.289022+01:00 email 
postfix/smtpd[92141]: connect from unknown[]
WARNING: line not in syslog format: 2025-01-28T14:13:28.349994+01:00 email 
postfix/smtpd[92141]: disconnect from unknown[] ehlo=1 auth=0/1 quit=1

The error message comes from here:

https://sources.debian.org/src/mailgraph/1.14-20/mailgraph.pl/#L218

So lets have a look at the time regex a few lines above:

            (\S{3})\s+(\d+)      # date  -- 1, 2
            \s
            (\d+):(\d+):(\d+)    # time  -- 3, 4, 5

This cannot possibly match the ISO8601 date from the log above. Do you agree?

If you look at mailgraph in Trixie, it still uses the same regex:

https://sources.debian.org/src/mailgraph/1.14-22/mailgraph.pl/#L229

Then look at the patch I provided in my last message. The important part is
hunk 5 which changes the regex to this one:

           (\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)\S+  # datetime

That is why the patch provided by Dimitar and updated by me fixes this.

I hope this helps clearing things up. :)

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply via email to