Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(Fri, 21 Sep 2012 05:33:04 GMT) (full text, mbox, link).
Package: android-tools-adb
Version: 4.1.1+git20120801-1
Severity: normal
Dear Maintainer,
thanks for packaging adb&fastboot.
However I noticed a file '/tmp/adb.log' is created by adb. This is
done in
fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT | O_APPEND, 0640);
[ core/adb/adb.c:701 ]
In my opinion this is a dirty hack and not acceptable from a security
point of view, symlinks attacks and the like. At least, if two
different non-root users use adb, the second one is unable (EPERM) to
write that file, potentially missing information.
For the records, I am using a private wheezy backport of
android-tools. No changes were done to the sources.
Regards,
Christoph
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.10 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages android-tools-adb depends on:
ii libc6 2.13-35
ii zlib1g 1:1.2.7.dfsg-13
android-tools-adb recommends no packages.
android-tools-adb suggests no packages.
-- no debconf information
Added tag(s) security.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Fri, 23 Nov 2012 07:03:03 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2012-5564: android-tools-adb creates a file with a static file name in /tmp' from 'android-tools-adb creates a file with a static file name in /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Nov 2012 08:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package android-tools-adb.
(Mon, 09 May 2016 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Mon, 09 May 2016 05:39:03 GMT) (full text, mbox, link).
Control: clone -1 -2
Control: reassign -2 adb 1:6.0.0+r26-1~stage1
Control: tags -2 + security
On Fri, 21 Sep 2012 07:24:17 +0200 Christoph Biedl wrote:
> Package: android-tools-adb
> Version: 4.1.1+git20120801-1
This issue is also present in the adb binary package built from the new
android-platform-system-core source package.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Bug 688280 cloned as bug 823792
Request was from Paul Wise <pabs@debian.org>
to 688280-submit@bugs.debian.org.
(Mon, 09 May 2016 05:39:04 GMT) (full text, mbox, link).
Bug reassigned from package 'android-tools-adb' to 'adb'.
Request was from Fathi Boudra <fabo@debian.org>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 13:51:11 GMT) (full text, mbox, link).
No longer marked as found in versions android-tools/4.1.1+git20120801-1.
Request was from Fathi Boudra <fabo@debian.org>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 13:51:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package adb.
(Wed, 21 Dec 2016 15:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Wed, 21 Dec 2016 15:03:03 GMT) (full text, mbox, link).
Cc: 688280@bugs.debian.org, Paul Wise <pabs@debian.org>
Subject: Re: reassign 688280 to adb
Date: Wed, 21 Dec 2016 15:59:23 +0100
Hi
On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
> reassign 688280 adb
> thanks
Is this reassign correct? Paul Wise in
https://bugs.debian.org/688280#14 already did clone the bug to
reassign it for the android-platform-system-core source package.
So there should still be
#688280 for src:android-tools
#823792 for src:android-platform-system-core
Regards,
Salvatore
Bug reassigned from package 'adb' to 'src:android-tools'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 15:09:05 GMT) (full text, mbox, link).
Changed Bug title to 'android-tools: CVE-2012-5564: android-tools-adb creates a file with a static file name in /tmp' from 'CVE-2012-5564: android-tools-adb creates a file with a static file name in /tmp'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 15:09:06 GMT) (full text, mbox, link).
Marked as found in versions android-tools/4.1.1+git20120801-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 15:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Wed, 21 Dec 2016 18:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Fathi Boudra <fabo@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Wed, 21 Dec 2016 18:51:06 GMT) (full text, mbox, link).
Cc: 688280@bugs.debian.org, Paul Wise <pabs@debian.org>
Subject: Re: reassign 688280 to adb
Date: Wed, 21 Dec 2016 20:49:00 +0200
Hi,
On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi
>
> On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
>> reassign 688280 adb
>> thanks
>
> Is this reassign correct? Paul Wise in
> https://bugs.debian.org/688280#14 already did clone the bug to
> reassign it for the android-platform-system-core source package.
>
> So there should still be
>
> #688280 for src:android-tools
> #823792 for src:android-platform-system-core
You're right. Jessie src:android-tools is still affected.
> Regards,
> Salvatore
Cheers,
Fathi
Marked as found in versions android-tools/5.1.1.r38-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 22 Dec 2016 05:39:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Tue, 27 Dec 2016 11:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Tue, 27 Dec 2016 11:51:02 GMT) (full text, mbox, link).
Cc: Salvatore Bonaccorso <carnil@debian.org>, 688280@bugs.debian.org,
Paul Wise <pabs@debian.org>
Subject: Re: reassign 688280 to adb
Date: Tue, 27 Dec 2016 12:48:34 +0100
On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote:
> Hi,
>
> On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Hi
> >
> > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
> >> reassign 688280 adb
> >> thanks
> >
> > Is this reassign correct? Paul Wise in
> > https://bugs.debian.org/688280#14 already did clone the bug to
> > reassign it for the android-platform-system-core source package.
> >
> > So there should still be
> >
> > #688280 for src:android-tools
> > #823792 for src:android-platform-system-core
>
> You're right. Jessie src:android-tools is still affected.
Which version fixed this for src:android-tools in unstable?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Tue, 27 Dec 2016 13:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Tue, 27 Dec 2016 13:09:02 GMT) (full text, mbox, link).
To: Moritz Mühlenhoff <jmm@inutil.org>,
688280@bugs.debian.org
Cc: Fathi Boudra <fabo@debian.org>, Paul Wise <pabs@debian.org>
Subject: Re: Bug#688280: reassign 688280 to adb
Date: Tue, 27 Dec 2016 14:03:53 +0100
Hi Moritz,
On Tue, Dec 27, 2016 at 12:48:34PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote:
> > Hi,
> >
> > On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > Hi
> > >
> > > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
> > >> reassign 688280 adb
> > >> thanks
> > >
> > > Is this reassign correct? Paul Wise in
> > > https://bugs.debian.org/688280#14 already did clone the bug to
> > > reassign it for the android-platform-system-core source package.
> > >
> > > So there should still be
> > >
> > > #688280 for src:android-tools
> > > #823792 for src:android-platform-system-core
> >
> > You're right. Jessie src:android-tools is still affected.
>
> Which version fixed this for src:android-tools in unstable?
Not yet for unstable for src:android-tools. I recently updated the
security-tracker information as:
- android-tools <unfixed> (bug #688280) <-- still unfixed
- android-platform-system-core 1:7.0.0+r1-1 (bug #823792)
src:android-tools as per current version in unstable still has:
system/core/adb/adb.c: fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT | O_APPEND, 0640);
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Tue, 27 Dec 2016 17:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Fathi Boudra <fabo@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Tue, 27 Dec 2016 17:39:03 GMT) (full text, mbox, link).
Cc: Moritz Mühlenhoff <jmm@inutil.org>,
688280@bugs.debian.org, Paul Wise <pabs@debian.org>
Subject: Re: Bug#688280: reassign 688280 to adb
Date: Tue, 27 Dec 2016 19:33:45 +0200
Hi,
On Tue, Dec 27, 2016 at 3:03 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Moritz,
>
> On Tue, Dec 27, 2016 at 12:48:34PM +0100, Moritz Mühlenhoff wrote:
>> On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote:
>> > Hi,
>> >
>> > On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> > > Hi
>> > >
>> > > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
>> > >> reassign 688280 adb
>> > >> thanks
>> > >
>> > > Is this reassign correct? Paul Wise in
>> > > https://bugs.debian.org/688280#14 already did clone the bug to
>> > > reassign it for the android-platform-system-core source package.
>> > >
>> > > So there should still be
>> > >
>> > > #688280 for src:android-tools
>> > > #823792 for src:android-platform-system-core
>> >
>> > You're right. Jessie src:android-tools is still affected.
>>
>> Which version fixed this for src:android-tools in unstable?
>
> Not yet for unstable for src:android-tools. I recently updated the
> security-tracker information as:
>
> - android-tools <unfixed> (bug #688280) <-- still unfixed
> - android-platform-system-core 1:7.0.0+r1-1 (bug #823792)
>
> src:android-tools as per current version in unstable still has:
>
> system/core/adb/adb.c: fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT | O_APPEND, 0640);
adb binary in unstable isn't built anymore from src:android-tools,
only from src:android-platform-system-core.
android-platform-system-core is using 7.x source code and doesn't
contain fd = unix_open("/tmp/adb.log" anymore:
https://android.googlesource.com/platform/system/core/+/android-7.0.0_r1/adb/adb.cpphttps://android.googlesource.com/platform/system/core/+/android-5.1.1_r38/adb/adb.c#990
I haven't seen any patch from Google (or anybody else) to fix the 5.x serie.
Is randomizing the path with mktemp is good enough or should I get rid
of the log file completely?
Note: even if the source code code contains the problem, it isn't used
because we don't build adb at all in android-tools.
>
> Regards,
> Salvatore
Cheers,
Fathi
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Tue, 27 Dec 2016 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Tue, 27 Dec 2016 19:03:03 GMT) (full text, mbox, link).
To: Fathi Boudra <fabo@debian.org>, 688280@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>,
Paul Wise <pabs@debian.org>
Subject: Re: Bug#688280: reassign 688280 to adb
Date: Tue, 27 Dec 2016 20:01:41 +0100
Hi Fathi!
On Tue, Dec 27, 2016 at 07:33:45PM +0200, Fathi Boudra wrote:
> Hi,
>
> On Tue, Dec 27, 2016 at 3:03 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Hi Moritz,
> >
> > On Tue, Dec 27, 2016 at 12:48:34PM +0100, Moritz Mühlenhoff wrote:
> >> On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote:
> >> > Hi,
> >> >
> >> > On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> >> > > Hi
> >> > >
> >> > > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
> >> > >> reassign 688280 adb
> >> > >> thanks
> >> > >
> >> > > Is this reassign correct? Paul Wise in
> >> > > https://bugs.debian.org/688280#14 already did clone the bug to
> >> > > reassign it for the android-platform-system-core source package.
> >> > >
> >> > > So there should still be
> >> > >
> >> > > #688280 for src:android-tools
> >> > > #823792 for src:android-platform-system-core
> >> >
> >> > You're right. Jessie src:android-tools is still affected.
> >>
> >> Which version fixed this for src:android-tools in unstable?
> >
> > Not yet for unstable for src:android-tools. I recently updated the
> > security-tracker information as:
> >
> > - android-tools <unfixed> (bug #688280) <-- still unfixed
> > - android-platform-system-core 1:7.0.0+r1-1 (bug #823792)
> >
> > src:android-tools as per current version in unstable still has:
> >
> > system/core/adb/adb.c: fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT | O_APPEND, 0640);
>
> adb binary in unstable isn't built anymore from src:android-tools,
> only from src:android-platform-system-core.
>
> android-platform-system-core is using 7.x source code and doesn't
> contain fd = unix_open("/tmp/adb.log" anymore:
> https://android.googlesource.com/platform/system/core/+/android-7.0.0_r1/adb/adb.cpp
>
> https://android.googlesource.com/platform/system/core/+/android-5.1.1_r38/adb/adb.c#990
>
> I haven't seen any patch from Google (or anybody else) to fix the 5.x serie.
> Is randomizing the path with mktemp is good enough or should I get rid
> of the log file completely?
> Note: even if the source code code contains the problem, it isn't used
> because we don't build adb at all in android-tools.
Thanks a lot for your comments. So it looks that even if we would be
affected source-wise, since android-tools/5.1.1.r38-1 the
binary-package android-tools-adb which contained /usr/bin/adb is not
built anymore.
I have added a corresponding note to
https://security-tracker.debian.org/tracker/CVE-2012-5564
so that it now reads:
CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users ...)
- android-tools <unfixed> (unimportant; bug #688280)
NOTE: Since android-tools/5.1.1.r38-1 the android-tools-adb binary package
NOTE: is not built anymore which used to contain /usr/bin/adb.
NOTE: Package still affected source-wise.
I wouldn't invest much energy though in fixing the issue. The reason
is that due to the kernel hardening
(https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security)
nullifies the symlink attacks, thus /tmp related bugs are marked in
meanwhile as severity "unimportant" in the security-tracker (as you
can see in the entry above).
It is really good that you and your team though have fixed the copy in
android-platform-system-core (bug #823792) via new upstream versions
which fixed that source-wise.
Hope this clarifies the back-and-forth on this issue.
Regards,
Salvatore
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 27 Dec 2016 19:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Fri, 30 Dec 2016 05:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Fri, 30 Dec 2016 05:09:03 GMT) (full text, mbox, link).
Control: reopen 823792
Control: found 823792 1:7.0.0+r1-1
On Tue, 2016-12-27 at 20:01 +0100, Salvatore Bonaccorso wrote:
> It is really good that you and your team though have fixed the copy in
> android-platform-system-core (bug #823792) via new upstream versions
> which fixed that source-wise.
I don't think this is actually fixed by the new upstream versions,
take a look at the GetLogFilePath function via codesearch:
https://sources.debian.net/src/android-platform-system-core/1:7.0.0%2Br1-2/adb/client/main.cpp/?hl=58#L37
--
bye,
pabs
https://wiki.debian.org/PaulWise
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Wed, 01 Mar 2017 08:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hans-Christoph Steiner <hans@eds.org>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Wed, 01 Mar 2017 08:39:03 GMT) (full text, mbox, link).
To: 823792@bugs.debian.org, 688280@bugs.debian.org
Subject: policy issue not security
Date: Wed, 1 Mar 2017 09:37:27 +0100
Yes, it still makes the log, but now at least with reasonable
permissions, so its not a security issue any more but a Debian policy issue:
$ ls -l /tmp/adb.1000.log
-rw-r----- 1 1000 1000 179 Mar 1 08:31 /tmp/adb.1000.log
I suppose that path should be changed to /var/log/adb/
Information forwarded
to debian-bugs-dist@lists.debian.org, Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>: Bug#688280; Package src:android-tools.
(Thu, 02 Mar 2017 01:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Android Tools Maintainers <android-tools-devel@lists.alioth.debian.org>.
(Thu, 02 Mar 2017 01:03:06 GMT) (full text, mbox, link).
To: Hans-Christoph Steiner <hans@eds.org>, 688280@bugs.debian.org, 823792@bugs.debian.org
Subject: Re: Bug#688280: policy issue not security
Date: Wed, 01 Mar 2017 16:45:57 -0800
On Wed 2017-03-01 00:37:27 -0800, Hans-Christoph Steiner wrote:
> Yes, it still makes the log, but now at least with reasonable
> permissions, so its not a security issue any more but a Debian policy issue:
>
> $ ls -l /tmp/adb.1000.log
> -rw-r----- 1 1000 1000 179 Mar 1 08:31 /tmp/adb.1000.log
Why is this not a security issue? there are symlink/race conditions
here, which some modern kernels should defend against, but not all
kernels do. Please, let's get this fixed right.
> I suppose that path should be changed to /var/log/adb/
if the log is an ephemeral per-user log, it should be placed somewhere
like /run/user/$(id -u)/adb.log
--dkg
Reply sent
to Hans-Christoph Steiner <hans@eds.org>:
You have taken responsibility.
(Mon, 27 Mar 2017 21:03:03 GMT) (full text, mbox, link).
Notification sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug acknowledged by developer.
(Mon, 27 Mar 2017 21:03:03 GMT) (full text, mbox, link).
No longer marked as found in versions android-tools/5.1.1.r38-1 and android-tools/4.1.1+git20120801-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Jul 2017 22:39:17 GMT) (full text, mbox, link).
No longer marked as fixed in versions android-platform-system-core/1:7.0.0+r1-4.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Jul 2017 22:39:18 GMT) (full text, mbox, link).
Added indication that 688280 affects android-tools-adb
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Jul 2017 22:39:18 GMT) (full text, mbox, link).
Marked as fixed in versions android-platform-system-core/1:7.0.0+r1-4.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Jul 2017 22:39:18 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 08 Aug 2017 07:29:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.