Debian Bug report logs - #622794
atop: vulnerable to symlink attack via insecure /tmp directory or file

version graph

Package: atop; Maintainer for atop is Marc Haber <atop@packages.debian.org>; Source for atop is src:atop (PTS, buildd, popcon).

Reported by: Teodor <mteodor@gmail.com>

Date: Thu, 14 Apr 2011 17:54:01 UTC

Severity: grave

Tags: patch, security

Found in version atop/1.23-1

Fixed in versions atop/1.23-1.1, atop/1.23-1+lenny1, atop/1.23-1+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, mteodor@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Edelhard Becker <edelhard@debian.org>:
Bug#622794; Package atop. (Thu, 14 Apr 2011 17:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Teodor <mteodor@gmail.com>:
New Bug report received and forwarded. Copy sent to mteodor@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Edelhard Becker <edelhard@debian.org>. (Thu, 14 Apr 2011 17:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Teodor <mteodor@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: atop: vulnerable to symlink attack via insecure /tmp directory or file
Date: Thu, 14 Apr 2011 20:51:14 +0300
Package: atop
Version: 1.23-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a 
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).

Please consider to backport the fix for 'stable' too.

Thanks

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages atop depends on:
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libncurses5             5.7+20100313-5   shared libraries for terminal hand
ii  logrotate               3.7.8-6          Log rotation utility
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

atop recommends no packages.

atop suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Edelhard Becker <edelhard@debian.org>:
Bug#622794; Package atop. (Fri, 15 Apr 2011 04:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Matt Kraai <kraai@ftbfs.org>:
Extra info received and forwarded to list. Copy sent to Edelhard Becker <edelhard@debian.org>. (Fri, 15 Apr 2011 04:21:03 GMT) (full text, mbox, link).

Message #10 received at 622794@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>
To: 622794@bugs.debian.org
Subject: Partial patch
Date: Thu, 14 Apr 2011 21:18:04 -0700
[Message part 1 (text/plain, inline)]
Hi,

I've attached a patch to make atop create decompressed raw logs
safely by using mkstemp.

I think that it's still possible, by making /tmp/atop.d a symbolic
link to a directory containing a file named atop.acct, to make atop
remove the file named atop.acct in the linked-to directory.

-- 
Matt Kraai
https://ftbfs.org/kraai

[fix-tmp-usage.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Edelhard Becker <edelhard@debian.org>:
Bug#622794; Package atop. (Mon, 01 Aug 2011 14:45:09 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Edelhard Becker <edelhard@debian.org>. (Mon, 01 Aug 2011 14:45:10 GMT) (full text, mbox, link).

Message #15 received at 622794@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 622794@bugs.debian.org
Subject: atop: diff for NMU version 1.23-1.1
Date: Mon, 1 Aug 2011 15:41:57 +0100
[Message part 1 (text/plain, inline)]
tags 622794 + patch
tags 622794 + pending
thanks

Dear maintainer,

I've prepared an NMU for atop (versioned as 1.23-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Be advised that if no problems are found, I will be applying to the Release
Team for permission to upload the same fixes to stable and oldstable.

Regards.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[atop-1.23-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Mon, 01 Aug 2011 14:45:11 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Mon, 01 Aug 2011 14:45:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Edelhard Becker <edelhard@debian.org>:
Bug#622794; Package atop. (Mon, 01 Aug 2011 15:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Edelhard Becker <edelhard@debian.org>. (Mon, 01 Aug 2011 15:03:03 GMT) (full text, mbox, link).

Message #24 received at 622794@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 622794@bugs.debian.org
Subject: Re: Bug#622794: atop: diff for NMU version 1.23-1.1
Date: Mon, 1 Aug 2011 15:58:44 +0100
[Message part 1 (text/plain, inline)]
On Mon, Aug 01, 2011 at 03:41:57PM +0100, Jonathan Wiltshire wrote:
> I've prepared an NMU for atop (versioned as 1.23-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.

Sorry, here is the correct patch.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[nmudiff.atop (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 03 Aug 2011 17:33:03 GMT) (full text, mbox, link).

Notification sent to Teodor <mteodor@gmail.com>:
Bug acknowledged by developer. (Wed, 03 Aug 2011 17:33:03 GMT) (full text, mbox, link).

Message #29 received at 622794-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 622794-close@bugs.debian.org
Subject: Bug#622794: fixed in atop 1.23-1.1
Date: Wed, 03 Aug 2011 17:32:09 +0000
Source: atop
Source-Version: 1.23-1.1

We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:

atop_1.23-1.1.diff.gz
  to main/a/atop/atop_1.23-1.1.diff.gz
atop_1.23-1.1.dsc
  to main/a/atop/atop_1.23-1.1.dsc
atop_1.23-1.1_amd64.deb
  to main/a/atop/atop_1.23-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622794@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated atop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1.1
Distribution: unstable
Urgency: high
Maintainer: Edelhard Becker <edelhard@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 atop       - Monitor for system resources and process activity
Closes: 622794
Changes: 
 atop (1.23-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2011-XXXX: Insecure use of a temporary files rawlog.c and
     acctproc.c (Closes: #622794)
Checksums-Sha1: 
 bbcb0eb06efcc8fd53631eb19b5e931703667467 1643 atop_1.23-1.1.dsc
 d649052e54f4359e00195e0f12c9c7995dbb70db 7062 atop_1.23-1.1.diff.gz
 cd2e0c99e65aee4306cf211b4c6bb896d87ee825 77850 atop_1.23-1.1_amd64.deb
Checksums-Sha256: 
 fa1d2c7839854fce1a833eb0c545a3e30617620dfa02670f68dd704a57087d9c 1643 atop_1.23-1.1.dsc
 c6db49e99ec7900206208ca6d256b8c4f9ab6e6352d669d7b4833afc027bcdec 7062 atop_1.23-1.1.diff.gz
 647ac28c909e0daf4211e21a5b1eb2feaf78c8d048a5a8a40b5d075d5ab3aaf2 77850 atop_1.23-1.1_amd64.deb
Files: 
 1ef1e896fff4eeaa30e7e4ac4e2e70ca 1643 admin optional atop_1.23-1.1.dsc
 c8aa56774a85ee30730680833f673591 7062 admin optional atop_1.23-1.1.diff.gz
 6c30d8b5089be424d50858651f37b867 77850 admin optional atop_1.23-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJONr+4AAoJEFOUR53TUkxRhuAP/2TM38IaDYYsRq7o1l4NAOXT
DQYwJVuD+pwp1PCt9FabqVfBqavYGX1PGfV4C3kT8MN8fOGVN1+A6mqAd4vOjmh3
wVx31Na0pJDFG1Sf0MqCnBx9tCv6Wh8LZlQq6o2/5aiR18bLjBEhLHEAWZh9NkEM
FhB5m6vljBZBmW5gKu/HTwtAZnUyNOyyvSaF3a3FZ237NPtcl57Y+DIpQfkDtCih
WKm3RGCq0BZx3u4kmCGFSUMuZ/+ULZxd7oC8P2mrRWUoLlvf370yycMDl3vmC73Z
/0VZkVr3EJmcN5f7EllA9JMoQ2MQXKxtC9ne2V3oujD2uuL0vEZgKem/vNhzScJd
z9ClhWq2gHVNyXN1fCu7oZBpYdW5noi4WYsHwpJNjoLFAfb0SxI3lHvnGvTsxSvV
Yl2d5qlBwe6jxDwN66Y9p2CBwjuKqs87uWB2L/9hbD0CyX8lLOM6xuzBFl/mq4km
LDOVvHwGDsn4LFqKLNA5c+u8HdtcuOs7dx/JjltTny6i6f9VKYpvBYwlUeeWad7g
rxl3tqFFbv0tDdvdZN12Cmg0rnZcb298jL7FoNdrCjjdh0tD0KLwiGlKTPshXueE
FypDJW3beIOf9HELK7TrlHJuJVn9K5wRwxy1pZobXPXY3L+8dQoi/l6qV04KQIBN
PBzqO2QzTpPYPiVUALuH
=gu2i
-----END PGP SIGNATURE-----

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 03 Aug 2011 19:57:05 GMT) (full text, mbox, link).

Notification sent to Teodor <mteodor@gmail.com>:
Bug acknowledged by developer. (Wed, 03 Aug 2011 19:57:05 GMT) (full text, mbox, link).

Message #34 received at 622794-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 622794-close@bugs.debian.org
Subject: Bug#622794: fixed in atop 1.23-1+lenny1
Date: Wed, 03 Aug 2011 19:55:14 +0000
Source: atop
Source-Version: 1.23-1+lenny1

We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:

atop_1.23-1+lenny1.diff.gz
  to main/a/atop/atop_1.23-1+lenny1.diff.gz
atop_1.23-1+lenny1.dsc
  to main/a/atop/atop_1.23-1+lenny1.dsc
atop_1.23-1+lenny1_amd64.deb
  to main/a/atop/atop_1.23-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622794@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated atop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1+lenny1
Distribution: oldstable
Urgency: high
Maintainer: Edelhard Becker <edelhard@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 atop       - Monitor for system resources and process activity
Closes: 622794
Changes: 
 atop (1.23-1+lenny1) oldstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
     acctproc.c (Closes: #622794)
Checksums-Sha1: 
 0d06bd61d39cfc34fa38fdf9eeeff1e2448a58f2 1663 atop_1.23-1+lenny1.dsc
 c804c0e63d96f9d69a48696828fda913b991131c 7060 atop_1.23-1+lenny1.diff.gz
 3337cf6aa927c6942ddda93434ba35308ee2c3a4 78530 atop_1.23-1+lenny1_amd64.deb
Checksums-Sha256: 
 11f54dcba81d0f0b1bb3768e9e5eb75c65cf55f198c656470df7035b0fd22b02 1663 atop_1.23-1+lenny1.dsc
 785c1c0679740dc2c6544dcfb7f72f2f680bdfc261326e2f5e8d3d80de5006f5 7060 atop_1.23-1+lenny1.diff.gz
 aa84f3072deb3d9c9848e97b90c61071354eab6b1adf8a705804e64e11005ea9 78530 atop_1.23-1+lenny1_amd64.deb
Files: 
 7cd7bff1251ccee7d8f5e71dc0a9aee2 1663 admin optional atop_1.23-1+lenny1.dsc
 fd03c0655dffa5255c37c196fb85890a 7060 admin optional atop_1.23-1+lenny1.diff.gz
 7961b7af47c2d8201520c8e57bacf665 78530 admin optional atop_1.23-1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOOY5vAAoJEFOUR53TUkxRjPAP/RFOGwnRzISWjXgfVVzJf3fp
UPrayVULHvLOeV23ELAmg4GtpCAEbjgIs0ZgUIj776i48pMAuVlhC32gsnk+OZ+S
S5rrDbXNycWPq1QhUR6pFq6Tr8o9Li0cFAQsV++W4O23jS1d7IHHLQ1OCtwr0Ah3
WFoy2mPJDTqHdTKn+Vf0dgC2MmfSqUZDiq2eyiLC3kwyjTNGprKl0iA6X3lk9WMM
mjOVirkHPVZEymWUrZx5Ak64rIZcW/4MGVItNZD78ZGtGOnMKqAlpd7LwXihGqP9
LOBVeNgUF+/nw5LF65llQSSA+7bYiyQjCl0ZRhHFdw1X9x00Oxepw6ZrlOlL3HON
W28hfdPFN1bjJtrs42F6sSFHjdyRKDmrsOZ7dHuKOWWn2Nz79ARGSkU6irHNfgxV
eKgeXYP4rJa/za6ZuTYRukepbB4C2jjIs/7dVDqvXsrbW8FS4nJhOw8swgHTfV8f
s81Zo2DVF/mqYtRCNzicCI+bDpgRlxqk5L3AWQ3pPF3+bfLEb0wj8BcS9wet9Qrs
UqocJ7zW7hel8sJKHmJRmV4ffIjIpV5d9dNdSO3Z/xohd4Dx+iw2DzQ4mySDnXss
wKjn2EwJIXpmFp2gGnkIPZ+r3P7IaLCOuW6J9s+H2D3keyz/R9VIZQpX7CQd68+8
x7yA0bZKZEruExWRgCRs
=MDzR
-----END PGP SIGNATURE-----

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 03 Aug 2011 19:57:08 GMT) (full text, mbox, link).

Notification sent to Teodor <mteodor@gmail.com>:
Bug acknowledged by developer. (Wed, 03 Aug 2011 19:57:08 GMT) (full text, mbox, link).

Message #39 received at 622794-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 622794-close@bugs.debian.org
Subject: Bug#622794: fixed in atop 1.23-1+squeeze1
Date: Wed, 03 Aug 2011 19:55:16 +0000
Source: atop
Source-Version: 1.23-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:

atop_1.23-1+squeeze1.diff.gz
  to main/a/atop/atop_1.23-1+squeeze1.diff.gz
atop_1.23-1+squeeze1.dsc
  to main/a/atop/atop_1.23-1+squeeze1.dsc
atop_1.23-1+squeeze1_amd64.deb
  to main/a/atop/atop_1.23-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622794@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated atop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1+squeeze1
Distribution: stable
Urgency: high
Maintainer: Edelhard Becker <edelhard@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 atop       - Monitor for system resources and process activity
Closes: 622794
Changes: 
 atop (1.23-1+squeeze1) stable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
     acctproc.c (Closes: #622794)
Checksums-Sha1: 
 50d34174268d6e109db3d1a94fc56fb38c84d4cd 1671 atop_1.23-1+squeeze1.dsc
 1eae0778fc35e5e0f1d7d215d3bb32da4d887172 7091 atop_1.23-1+squeeze1.diff.gz
 584368fae70a49a6dac9e6db55c31af4c7430a3f 78110 atop_1.23-1+squeeze1_amd64.deb
Checksums-Sha256: 
 a092331b5a413e0d7f15a8a1eb4f63417a58440340ca731f31f4b060c61c1818 1671 atop_1.23-1+squeeze1.dsc
 6257a3f6c2229557e458e8bb6e9953814639b7f57f735c762d8b0626d286ee89 7091 atop_1.23-1+squeeze1.diff.gz
 2b4a8f251ffca32d1474814a85cac0e6a70c7139d7df3503ec39402b35f1580e 78110 atop_1.23-1+squeeze1_amd64.deb
Files: 
 d1dc3906fb070c7ebadfc2bd67b3699f 1671 admin optional atop_1.23-1+squeeze1.dsc
 d36e48d1716a56db6ca2e98c9600ce28 7091 admin optional atop_1.23-1+squeeze1.diff.gz
 d205a961146efff07340920926aef698 78110 admin optional atop_1.23-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOOY6QAAoJEFOUR53TUkxRKXEP/iT/n20gOg7SvhK64yUL+KCl
/uxa89afRX+7HhzAlVDjSoruUvgBndB3CbJOAjo7LfYrcxE/Jf5XTiAVuhvZkd5B
PT3aLbPukS6TuPkdBNk5kUXuzADSHVs7Q6yiXGvPn22Qc7MLMu8p4BqgcVSiIb83
irMNHkq6oCsVhfRKes7BAnv9ZxhPJ70TEdmP6veVb9emxOg2FUm2nZlkwfc1myj2
uGCwrqeOD26moxz6L9PS6xN7WUYcLSxubilOg6HOth7MllW/IRXp4T/2F5bqb+4v
MjR420bNHIbwejjxhHjftnnUCWJ87U5+dQun0GKdAzDOv1Xvlg/sfB4x8fjpX9R3
D3xlOS/40DBbv/wwPQ0amerLNWequYwp9we+pzaeS/ym9ooz0mFFt8I0TRvMSF9W
NwWzi5uVG8n1iTLBCP5n2GdlRNNbsZMf/eo0Z3KYZnantgB3l93niF2k9KQFkvVg
wvyjZxSfvPeJJKJvy1Iyd+ZuPtLMAEFGHOIMdefalvskytTSfturF2zofXaVETW+
XfLykS2LTKtHZUq36srmKpcs5ADcFhhB5B/oGcStXIL9g4mzaiTVwM77LsMrcufW
Nw4tuoU5kKJk0aMyDBodWg0kf4LHB+SMBxzgG18L4WFU8sNNsSjbJBoKrzAOB/ag
Q9znvw2upg9s7OtPa8Ic
=5IB1
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Oct 2011 07:38:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 15 23:19:05 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.