Debian Bug report logs - #200875
Integer overflow

version graph

Package: traceroute-nanog; Maintainer for traceroute-nanog is Daniel Baumann <daniel@lists.debian-maintainers.org>;

Reported by: Matt Zimmerman <mdz@debian.org>

Date: Fri, 11 Jul 2003 13:33:06 UTC

Severity: grave

Tags: confirmed, pending, sarge, security, upstream

Fixed in version traceroute-nanog/6.3.6-3

Done: Martin Godisch <martin@godisch.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
New Bug report received and forwarded. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: Integer overflow
Date: Fri, 11 Jul 2003 09:23:45 -0400
Package: traceroute-nanog
Severity: grave
Tags: security

Ignore the ridiculous claims about root; there is a real bug and it could be
used to gain access to the raw sockets.  A DSA will be released soon.

Honestly, traceroute-nanog has a poor security history, and I wonder whether
it should be shipped without setuid privileges.  What do you think?

----- Forwarded message from assasa sasasaaa <bazrar@hotmail.com> -----

Date: Fri, 20 Jun 2003 06:09:30 +0000
From: assasa sasasaaa <bazrar@hotmail.com>
To: bugtraq@securityfocus.com
Subject: BAZARR FAREWELL 

local root advisory. bye

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus

/* traceroute local root advisory	 			*/
/* by: bazarr							*/
/* bazrar@hotmail.com						*/
/* bazarr episode #*	 					*/

------------------
PREFACE

its me bazarr. i dont use ziplip anymore. resend any emails sent to 
bazarr@ziplip
to bazrar@hotmail.com if i dident respond to them. this is a local root 
vulnerability
in the traceroute shipped with alot of distros and operating systems.
and ya its really the real bazarr.

lets take a look at the vendor info:

/*
* traceroute host  - trace the route ip packets follow going to "host".
*
* Attempt to trace the route an ip packet would follow to some
* internet host.  We find out intermediate hops by launching probe
* packets with a small ttl (time to live) then listening for an
* icmp "time exceeded" reply from a gateway.  We start our probes
* with a ttl of one and increase by one until we get an icmp "port
* unreachable" (which means we got to "host") or hit a max (which
* defaults to 30 hops & can be changed with the -m flag).  Three
* probes (change with -q flag) are sent at each ttl setting and a
* line is printed showing the ttl, address of the gateway and
* round trip time of each probe.  If the probe answers come from
* different gateways, the address of each responding system will
* be printed.  If there is no response within a 5 sec. timeout
* interval (changed with the -w flag), a "*" is printed for that
* probe.
*/

around the time of the get_origin() bug found by Carl Livitt, debian 
released a patch for that bug
and a few other little problems in traceroute which noone really bothered to 
talk about i guess.
but uh lets take a look at the source code for a second. this is after 
applying the patch by debian
to secure traceroute from buffer overflows.

#define SPRAYMAX 256            /* We'll only do up to 256 TTLs at once */
struct {
       u_long  dport;          /* check for matching dport */
       u_char  ttl;            /* ttl we sent it to */
       u_char  type;           /* icmp response type */
       struct  timeval out;    /* time packet left */
       struct  timeval rtn;    /* time packet arrived */
       struct  sockaddr_in from; /* whom from */
} spray[SPRAYMAX];
int *spray_rtn[SPRAYMAX];       /* See which TTLs have responded */

...

                       case 'S':
                               argc--, AbortIfNull((++av)[0]);
                               min_ttl = atoi(av[0]);
                               if ((min_ttl < 0) || (min_ttl > max_ttl)) {
                                       Fprintf(stderr, "min ttl must be 
>=%d%s and >0",max_ttl,terminator);
                                       exit(1);
                               }
                               goto nextarg;
                       case 'm':
                               argc--, AbortIfNull((++av)[0]);
                               max_ttl = atoi(av[0]);
                               if (max_ttl < min_ttl) {
                                       Fprintf(stderr, "max ttl must be 
>%d%s",min_ttl,terminator);
                                       exit(1);
                               }
                               goto nextarg;

...

                       case 'P':
                               spray_mode = 1;
                               break;
                       case 'f':
                               argc--, AbortIfNull((++av)[0]);
                               sport = atoi(av[0]);
                               goto nextarg;
                       case 'q':
                               argc--, AbortIfNull((++av)[0]);
                               nprobes = atoi(av[0]);
                               if (nprobes < 1) {
                                       Fprintf(stderr, "nprobes must be 
>0%s",terminator);
                                       exit(1);
                               }
                               goto nextarg;
...


       /* Prevent overflow of spray[] array */
       if (spray_mode && (nprobes*max_ttl > SPRAYMAX)) {
               Fprintf(stderr, "too many spray packets\n");
               exit(1);
       }

now what is the first thing we see here. we can control 'nprobes' , 
'min_ttl' and 'max_ttl'
with any values we want. now debian added this code at the end here with 
their patch trying to
prevent overflow of the spray[] array i guess. well lets take a look

bazarr:traceroute-nanog-6.1.1$ ./traceroute -P -q 256 -m 2147483648 
google.com
traceroute to google.com (216.239.33.100), 2147483647 hops max, 40 byte 
packets
Segmentation fault
bazarr:traceroute-nanog-6.1.1$

since we can control max_ttl and nprobes all we have to do is make sure that 
the equation

"nprobes * max_ttl"

will result in an int wrap around and become < SPRAYMAX (256)
which is really easy since its not checking that the value is not < 0 it can 
just be negative.

now lets take a look at some of our options after we bypass its little check
we go back to the land of source code once again:


  if (!spray_mode) {
     /* For all TTL do */

...


} else {

/*
* Enter Spray mode
*/
  spray_target = spray_max = spray_total = 0;
  spray_min = SPRAYMAX+1;

  /* For all TTL do */
  for (ttl = min_ttl; ttl <= max_ttl; ++ttl) {
     spray_rtn[ttl] = (int *)malloc(sizeof(int)*nprobes + 1);
     for (probe = 0; probe < nprobes; ++probe) {
            spray_rtn[ttl][probe]=0;
        send_probe(++seq, ttl);
     }
  }

what we can see here is multiple possibliltys.

spray_rtn[ttl] = (int *)malloc(sizeof(int)*nprobes + 1);

since we can control 'ttl' this tells us we can write a 4 byte ptr anywhere 
we want.
only thing is that it will be to a 4 byte aligned address so modifying parts 
of a ret address is out of the question.
and we cannot control the data at the ptr we are able to write so putting 
shellcode their is out of the question.

so this line tells us we can write a 4 byte ptr returned by malloc anywhere 
we want , but we can also
force the malloc call to fail and write a 4 byte NULL anywhere we want 
easily since we can control nprobes
we can make it a pretty big number , bigger then the system can alloc so 
malloc will fail and return NULL.

this line also tells us since we can control nprobes we can force malloc to 
alloc too low by supplying a big
value to nprobes , this isnt that great of an option though.

also if we write a NULL then

spray_rtn[ttl][probe] = 0;

is bound to fail with an access violation.

so with that line we can either write a really big number or a really small 
number anywhere we want on a 4 byte align.
since we cant control the data at the addr we can write its kind of useless. 
but what about
writing a big number somewhere which would cause another bug? or a small 
number?

lets take a look at the send_probe() function for a sec:

send_probe(seq, ttl)
int ttl;
int seq;
{
       struct opacket *op = outpacket;
       struct ip *ip = &op->ip;
       struct udphdr *up = &op->udp;
       int i;

     retry:
       if (mtudisc) {
         ip->ip_off = (short) IP_DF;
       }
       else {
         ip->ip_off = 0;
       }

       ip->ip_p = IPPROTO_UDP;
#ifndef BYTESWAP_IP_LEN
       ip->ip_len = ((u_short)datalen-_optlen);   /*  The OS inserts 
options  */
#else /* BYTESWAP_IP_LEN */
       ip->ip_len = htons((u_short)datalen-_optlen);   /*  The OS inserts 
options  */
#endif /* BYTESWAP_IP_LEN */
       ip->ip_ttl = ttl;
       ip->ip_v = IP_VERSION;
       ip->ip_hl = sizeof(*ip) >> 2;

       up->uh_sport = htons(ident);
       up->uh_dport = htons(port+seq);
       up->uh_ulen = htons((u_short)(datalen - sizeof(struct ip) - 
_optlen));
       up->uh_sum = 0;

       op->seq = seq;
       op->ttl = ttl;
#ifndef __linux__
       (void) gettimeofday(&op->tv, NULL);
#else /* __linux__ */
       (void) gettimeofday(&op->tv, &tz);
#endif /* __linux__ */

#ifdef SPRAY
       if (spray_mode) {
          spray[seq].dport = up->uh_dport;
          spray[seq].ttl   = ttl;
          bcopy(&op->tv, &spray[seq].out, sizeof(struct timeval));
       }

....

now we can write past spray[] essentially because 'seq' will be bigger then 
its sposed to be cuz we can control the value of 'nrpobes'.
but we cant write all that much data we want to or even where we want to 
really. so we can write our 4 byte ptr from above to 'outpacket'
which will point outpacket to a spot in the heap and then we can make 
'nprobes' a low number like 4 forcing it to malloc pretty low.
then it will be writing a shit load of data on the heap in spots its not 
sposed to.

if your gunna try and xploit this bug you probly know your options anyways 
and i probly missed alot. but
as you can see there are alot of possibilitys to xploiting this bug. if you 
do manage to xploit this bug it probly
will be a combination of things inside traceroute to lead to code exec.

------------------
PATCH

:`(

------------------
XPLOIT

:`(

------------------
ADVANCE WARNING

nothing is comming for you anymore.

------------------
GREETS

sad cow - hi sad cow.
dethy - hehe :)
#!FHAB - im all by myself in there on ircs somtimes
puppy of the rain forest - why dont you return my friendly email ? :(
dave aitel - for sending 2 nice emails to me :)
archim - hi
morgan - for telling me he dont really care about anything i do , and 
refusing to be a big brother twards me , why morgan why JUST GIMMIE A 
REASON!
spender - for nice conversation with lonely young boy.
bighawk - for taking out cryptome.org

i sent alot of emails to various people saying 'hi' and noone responded 
accept 2 people. thank you hendy. thank you anonymous p59_9 author.

------------------
BYE

what in the fuck was i thinking doing somthing like this.
i cant even belive i actually went through with all this.

you aint gunna be seeing bazarr around for long time.
sorry for disruptence. no hard feelings.

farewell.

-bazarr



----- End forwarded message -----

-- 
 - mdz



Reply sent to godisch@debian.org (Martin A. Godisch):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 200875-close@bugs.debian.org (full text, mbox):

From: godisch@debian.org (Martin A. Godisch)
To: 200875-close@bugs.debian.org
Subject: Bug#200875: fixed in traceroute-nanog 6.3.6-3
Date: Fri, 11 Jul 2003 13:47:32 -0400
We believe that the bug you reported is fixed in the latest version of
traceroute-nanog, which is due to be installed in the Debian FTP archive:

traceroute-nanog_6.3.6-3.diff.gz
  to pool/main/t/traceroute-nanog/traceroute-nanog_6.3.6-3.diff.gz
traceroute-nanog_6.3.6-3.dsc
  to pool/main/t/traceroute-nanog/traceroute-nanog_6.3.6-3.dsc
traceroute-nanog_6.3.6-3_i386.deb
  to pool/main/t/traceroute-nanog/traceroute-nanog_6.3.6-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 200875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin A. Godisch <godisch@debian.org> (supplier of updated traceroute-nanog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Jul 2003 19:32:25 +0200
Source: traceroute-nanog
Binary: traceroute-nanog
Architecture: source i386
Version: 6.3.6-3
Distribution: unstable
Urgency: high
Maintainer: Martin A. Godisch <godisch@debian.org>
Changed-By: Martin A. Godisch <godisch@debian.org>
Description: 
 traceroute-nanog - Determine route of packets in TCP/IP networks (NANOG variant)
Closes: 200875
Changes: 
 traceroute-nanog (6.3.6-3) unstable; urgency=high
 .
   * Fixed integer overflow, closes: #200875.
   * Converted debian/changelog to UTF-8.
   * Updated standards version.
Files: 
 323445d6cce9179b25c74ede31676994 637 net extra traceroute-nanog_6.3.6-3.dsc
 64bc4b6acc0030a365e846b51e503702 17441 net extra traceroute-nanog_6.3.6-3.diff.gz
 693726394d1f0a472de9d0e431696ab5 31706 net extra traceroute-nanog_6.3.6-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/DvXCmpGCHWjc1gYRAnhXAKCksP8gpmZ5YOQt+Vni7O/3i4O3twCeLIyL
gxkmDHAH3RGCZvQtXHLGCHQ=
=zvfp
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Martin Godisch <martin@godisch.de>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #15 received at 200875@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: Matt Zimmerman <mdz@debian.org>, 200875@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#200875: Integer overflow
Date: Fri, 11 Jul 2003 20:08:49 +0200
reopen 200875
tags 200875 + confirmed upstream pending woody sarge
thanks

On Fri, Jul 11, 2003 at 09:23:45 -0400, Matt Zimmerman wrote:

> Ignore the ridiculous claims about root; there is a real bug and it could be
> used to gain access to the raw sockets.  A DSA will be released soon.

Thank you! I forwarded this bug to the upstream author.

> Honestly, traceroute-nanog has a poor security history, and I wonder whether
> it should be shipped without setuid privileges.  What do you think?

I agree. The suid-root installation already uses debconf, we should
probably change the default value to non-suid. Daniel, do you agree?

Kind regards,

Martin



Bug reopened, originator not changed. Request was from Martin Godisch <martin@godisch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: confirmed, upstream, pending, woody, sarge Request was from Martin Godisch <martin@godisch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #24 received at 200875@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>
To: Martin Godisch <martin@godisch.de>, 200875@bugs.debian.org
Cc: Matt Zimmerman <mdz@debian.org>
Subject: Re: Bug#200875: Integer overflow
Date: Sat, 12 Jul 2003 12:42:01 +0200
On Fri, Jul 11, 2003 at 08:08:49PM +0200, Martin Godisch wrote:
> On Fri, Jul 11, 2003 at 09:23:45 -0400, Matt Zimmerman wrote:
> 
> > Ignore the ridiculous claims about root; there is a real bug and it could be
> > used to gain access to the raw sockets.  A DSA will be released soon.

Embarrassing. The buggy check was introduced in our very first security fix
in 6.0-2. Didn't plug the hole, it only got smaller...

> > Honestly, traceroute-nanog has a poor security history, and I wonder whether
> > it should be shipped without setuid privileges.  What do you think?
> 
> I agree. The suid-root installation already uses debconf, we should
> probably change the default value to non-suid. Daniel, do you agree?

Changing the debconf default won't buy us a thing. We'd still have to do
security updates for all users choosing the suid installation. If I
understand correctly, Matt wants us to discontinue suid support
completely, right? Given that several vendors and individuals have run
audits on the code by now and still haven't been able to plug all holes,
maybe that's the best option.

Regards,

Daniel.




Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #29 received at 200875@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Martin Godisch <martin@godisch.de>
Cc: 200875@bugs.debian.org, Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>
Subject: Re: Bug#200875: Integer overflow
Date: Sat, 12 Jul 2003 13:18:51 -0400
On Fri, Jul 11, 2003 at 08:08:49PM +0200, Martin Godisch wrote:

> reopen 200875
> tags 200875 + confirmed upstream pending woody sarge
> thanks
> 
> On Fri, Jul 11, 2003 at 09:23:45 -0400, Matt Zimmerman wrote:
> 
> > Ignore the ridiculous claims about root; there is a real bug and it could be
> > used to gain access to the raw sockets.  A DSA will be released soon.
> 
> Thank you! I forwarded this bug to the upstream author.

Thanks for fixing this so quickly.  I'm not certain about the way that you
fixed it, though.  It seems to assume that
sizeof(SHRT_MAX) <= sizeof(INT_MAX)/2 or similar.  I am not sure whether
this is the case on all Debian architectures.

Attached is the patch I used for the DSA package.  Do you see any problems
with it?

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Martin Godisch <martin@godisch.de>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #34 received at 200875@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: Matt Zimmerman <mdz@debian.org>
Cc: 200875@bugs.debian.org
Subject: Re: Bug#200875: Integer overflow
Date: Sat, 12 Jul 2003 19:31:38 +0200
On Sat, Jul 12, 2003 at 13:18:51 -0400, Matt Zimmerman wrote:

> Thanks for fixing this so quickly.  I'm not certain about the way that you
> fixed it, though.  It seems to assume that
> sizeof(SHRT_MAX) <= sizeof(INT_MAX)/2 or similar.  I am not sure whether
> this is the case on all Debian architectures.

Yes, I noted this too, a bit later yesterday. I told Ehud Gavron (the
upstream author) to define some hard limits instead, but he applied my
patch as it is. I think this will be changed again, when I make the
non-suid upload.

> Attached is the patch I used for the DSA package.  Do you see any problems
> with it?

Thank you for the DSA. Can you send the attachment too, please?

Kind regards,

Martin



Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Martin Godisch <martin@godisch.de>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #39 received at 200875@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: Matt Zimmerman <mdz@debian.org>
Cc: 200875@bugs.debian.org
Subject: Re: Bug#200875: Integer overflow
Date: Sat, 12 Jul 2003 22:00:44 +0200
On Sat, Jul 12, 2003 at 13:18:51 -0400, Matt Zimmerman wrote:

> It seems to assume that
> sizeof(SHRT_MAX) <= sizeof(INT_MAX)/2 or similar.  I am not sure whether
> this is the case on all Debian architectures.

Just for the record: SHRT_MAX == 2^15-1, INT_MAX == 2^31-1 on all
released architectures, mips untested. I will change it anyway.

Kind regards,

Martin



Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #44 received at 200875@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Martin Godisch <martin@godisch.de>, 200875@bugs.debian.org
Subject: Re: Bug#200875: Integer overflow
Date: Sat, 12 Jul 2003 20:39:24 -0400
[Message part 1 (text/plain, inline)]
On Sat, Jul 12, 2003 at 07:31:38PM +0200, Martin Godisch wrote:

> On Sat, Jul 12, 2003 at 13:18:51 -0400, Matt Zimmerman wrote:
> > Attached is the patch I used for the DSA package.  Do you see any problems
> > with it?
> 
> Thank you for the DSA. Can you send the attachment too, please?

Ack, I did not send it?  Here it is.  The interesting part of the patch is:

@@ -1032,7 +1040,7 @@
        }
 #ifdef SPRAY
        /* Prevent overflow of spray[] array */
-       if (spray_mode && (nprobes*max_ttl > SPRAYMAX)) {
+       if (spray_mode && nprobes >= SPRAYMAX/max_ttl){
                Fprintf(stderr, "too many spray packets\n");
                exit(1);
        }

in addition to changing the variables involved to be unsigned.

-- 
 - mdz
[traceroute-nanog.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, godisch@debian.org (Martin A. Godisch):
Bug#200875; Package traceroute-nanog. Full text and rfc822 format available.

Acknowledgement sent to Martin Godisch <martin@godisch.de>:
Extra info received and forwarded to list. Copy sent to godisch@debian.org (Martin A. Godisch). Full text and rfc822 format available.

Message #49 received at 200875@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: Matt Zimmerman <mdz@debian.org>
Cc: 200875@bugs.debian.org
Subject: Re: Bug#200875: Integer overflow
Date: Sun, 13 Jul 2003 07:25:27 +0200
On Sat, Jul 12, 2003 at 20:39:24 -0400, Matt Zimmerman wrote:

> Ack, I did not send it?  Here it is.

Thanks, forwarded upstream.

Kind regards,

Martin



Tags removed: woody Request was from Martin Godisch <martin@godisch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Matt Zimmerman <mdz@debian.org> Request was from Martin Godisch <martin@godisch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:29:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.