Debian Bug report logs - #496427
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: lmbench; Maintainer for lmbench is Al Stone <ahs3@debian.org>; Source for lmbench is src:lmbench.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:12:01 UTC

Severity: grave

Tags: confirmed, security

Fixed in version lmbench/3.0-a9-1

Done: Al Stone <ahs3@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Al Stone <ahs3@debian.org>:
Bug#496427; Package lmbench. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Al Stone <ahs3@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:29 +0400
Package: lmbench
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:55 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:43 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Al Stone <ahs3@debian.org>:
Bug#496427; Package lmbench. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Al Stone <ahs3@debian.org>. Full text and rfc822 format available.

Message #14 received at 496427@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496427@bugs.debian.org
Cc: control@bugs.debian.org
Subject: confirmed to be present
Date: Wed, 27 Aug 2008 14:27:28 +0200
[Message part 1 (text/plain, inline)]
tags 496427 confirmed
thanks

Indeed present, a simple grep yields a number of different results already, 
see below. As the code contains many instances of different things written 
to /tmp, it may make sense to resolve that by creating one private working 
dir securely, and then prefixing that path to all uses of /tmp.


Thijs

./lmbench-3.0-a7/src/bench.h:97:#define UNIX_CONTROL    "/tmp/lmbench.ctl"
./lmbench-3.0-a7/src/bench.h:98:#define UNIX_DATA       "/tmp/lmbench.data"
./lmbench-3.0-a7/src/bench.h:99:#define UNIX_LAT        "/tmp/lmbench.lat"
./lmbench-3.0-a7/src/rhttp.c:81:                        
sprintf(name, "/tmp/rhttp%d", i);
./lmbench-3.0-a7/src/rhttp.c:96:        system("cat /tmp/rhttp*; 
rm /tmp/rhttp*");
./lmbench-3.0-a7/src/rhttp.c:106:               sprintf(buf, "/tmp/http%d", 
i);
./lmbench-3.0-a7/src/lat_fcntl.c:105:   
sprintf(state->filename1, "/tmp/lmbench-fcntl%d.1", getpid());
./lmbench-3.0-a7/src/lat_fcntl.c:106:   
sprintf(state->filename2, "/tmp/lmbench-fcntl%d.2", getpid());
./lmbench-3.0-a7/src/lat_unix_connect.c:18:#define CONNAME "/tmp/af_unix"
./lmbench-3.0-a7/src/lat_fifo.c:15:#define      F1      "/tmp/lmbench_f1.%d"
./lmbench-3.0-a7/src/lat_fifo.c:16:#define      F2      "/tmp/lmbench_f2.%d"
./lmbench-3.0-a7/src/lat_proc.c:20:#define      PROG "/tmp/hello-s"
./lmbench-3.0-a7/src/lat_proc.c:23:#define      PROG "/tmp/hello"
./lmbench-3.0-a7/src/lmhttp.c:23:#define        
LOGFILE         "/usr/tmp/lmhttp.log"
./lmbench-3.0-a7/scripts/SHIT:594:                      system "co -q -p -kkvl 
$rev $_[$i] > /tmp/sdiff.$$" .
./lmbench-3.0-a7/scripts/SHIT:595:                          "&& 
$diff /tmp/sdiff.$$ $working[$i]";
./lmbench-3.0-a7/scripts/SHIT:597:                      unlink("/tmp/sdiff.
$$");./lmbench-3.0-a7/scripts/rccs:603:                      
system "co -q -p -kkvl $rev $_[$i] > /tmp/sdiff.$$" .
./lmbench-3.0-a7/scripts/rccs:604:                          "&& 
$diff /tmp/sdiff.$$ $working[$i]";
./lmbench-3.0-a7/scripts/rccs:606:                      unlink("/tmp/sdiff.
$$");


[Message part 2 (application/pgp-signature, inline)]

Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 12:30:06 GMT) Full text and rfc822 format available.

Reply sent to Al Stone <ahs3@debian.org>:
You have taken responsibility. (Mon, 23 Feb 2009 06:15:04 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Mon, 23 Feb 2009 06:15:05 GMT) Full text and rfc822 format available.

Message #21 received at 496427-close@bugs.debian.org (full text, mbox):

From: Al Stone <ahs3@debian.org>
To: 496427-close@bugs.debian.org
Subject: Bug#496427: fixed in lmbench 3.0-a9-1
Date: Mon, 23 Feb 2009 05:47:05 +0000
Source: lmbench
Source-Version: 3.0-a9-1

We believe that the bug you reported is fixed in the latest version of
lmbench, which is due to be installed in the Debian FTP archive:

lmbench-doc_3.0-a9-1_all.deb
  to pool/non-free/l/lmbench/lmbench-doc_3.0-a9-1_all.deb
lmbench_3.0-a9-1.diff.gz
  to pool/non-free/l/lmbench/lmbench_3.0-a9-1.diff.gz
lmbench_3.0-a9-1.dsc
  to pool/non-free/l/lmbench/lmbench_3.0-a9-1.dsc
lmbench_3.0-a9-1_i386.deb
  to pool/non-free/l/lmbench/lmbench_3.0-a9-1_i386.deb
lmbench_3.0-a9.orig.tar.gz
  to pool/non-free/l/lmbench/lmbench_3.0-a9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496427@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Al Stone <ahs3@debian.org> (supplier of updated lmbench package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Feb 2009 18:20:00 -0700
Source: lmbench
Binary: lmbench lmbench-doc
Architecture: source all i386
Version: 3.0-a9-1
Distribution: unstable
Urgency: low
Maintainer: Al Stone <ahs3@debian.org>
Changed-By: Al Stone <ahs3@debian.org>
Description: 
 lmbench    - Utilities to benchmark UNIX systems
 lmbench-doc - Documentation for the lmbench benchmark suite
Closes: 470279 496427
Changes: 
 lmbench (3.0-a9-1) unstable; urgency=low
 .
   * Update to latest upstream (3.0-a9).
   * Update to latest Standards-Version.
   * Incorporate Ubuntu patch: depend on libc6-dev (LP: #246618)
   * Closes: bug#470279 -- replaced all uses of /usr/tmp with /var/tmp
   * Closes: bug#496427 -- removed risk of /tmp symlink attacks by moving
     all usage of /tmp to /var/tmp/lmbench
Checksums-Sha1: 
 63ae25a5e83165cc772798fb3b2d6d82d7ed75d6 977 lmbench_3.0-a9-1.dsc
 0ac51bd0a871e0dc4d070aca8e734c57b3a122b2 417326 lmbench_3.0-a9.orig.tar.gz
 da6cbb986a69d8a6e45ab54522ec0b616a573f8b 14264 lmbench_3.0-a9-1.diff.gz
 fc6630426a4b2768907f5c6dc6616c6553c41c85 274412 lmbench-doc_3.0-a9-1_all.deb
 ba205fa45b5b68ca94742843bb516e09e96dc2ab 1024032 lmbench_3.0-a9-1_i386.deb
Checksums-Sha256: 
 1176116df24e807356a14366176a87fa6058423350d26288acc97a99cc0a5314 977 lmbench_3.0-a9-1.dsc
 8e1746e5e0299d67ce26469fba6dfdabcd5125f4a07403cb635f4be76c1ab00b 417326 lmbench_3.0-a9.orig.tar.gz
 9f3784259adbb5d9c8fa2b386119c18caf9458137aa76bb236db66978a99ad1a 14264 lmbench_3.0-a9-1.diff.gz
 ef9c9752c8e1f8b4e587a3d0f065c8419cb24f29c327d0bc9b4242c7b4600f5a 274412 lmbench-doc_3.0-a9-1_all.deb
 5d16a66ecd2af73cc9e971357f90acb45e6a8e31e1652f836368b8336761a811 1024032 lmbench_3.0-a9-1_i386.deb
Files: 
 2bf5c4e38982292aff5bd64010858ed4 977 non-free/admin optional lmbench_3.0-a9-1.dsc
 ff8978a900999b60b336e56e368bef59 417326 non-free/admin optional lmbench_3.0-a9.orig.tar.gz
 2c63c50a0b6d3c3736f5f5c40ea9ffbf 14264 non-free/admin optional lmbench_3.0-a9-1.diff.gz
 c403ddcac1ae456563f616bbdf52bd87 274412 non-free/admin optional lmbench-doc_3.0-a9-1_all.deb
 1094438958728f6f6a6cab8b2685e00b 1024032 non-free/admin optional lmbench_3.0-a9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJojOgso6+T7qY4V0RAnTSAKCB52CbuU1bRQhJZSzl+SFADjdBOACeJwgm
eWXUtADkrs2E8kgnoOaH0kM=
=64XA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 14 May 2011 07:35:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:59:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.