Debian Bug report logs - #702821
libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t

version graph

Package: libapache2-mod-perl2; Maintainer for libapache2-mod-perl2 is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libapache2-mod-perl2 is src:libapache2-mod-perl2.

Reported by: Niko Tyni <ntyni@debian.org>

Date: Mon, 11 Mar 2013 20:51:01 UTC

Severity: serious

Found in versions libapache2-mod-perl2/2.0.7-2, libapache2-mod-perl2/2.0.4-7

Fixed in versions libapache2-mod-perl2/2.0.7-3, libapache2-mod-perl2/2.0.4-7+squeeze1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, perl@packages.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Mon, 11 Mar 2013 20:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, perl@packages.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 11 Mar 2013 20:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: submit@bugs.debian.org
Subject: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
Date: Mon, 11 Mar 2013 22:47:45 +0200
Package: libapache2-mod-perl2
Version: 2.0.7-2
Severity: serious
Control: found -1 2.0.4-7
X-Debbugs-Cc: team@security.debian.org, perl@packages.debian.org

As noted on the modperl users list in

 http://mail-archives.apache.org/mod_mbox/perl-modperl/201303.mbox/%3C67B2BB40A61BE846B65EF4793B863D6C610AF5@ukmail02.planit.group%3E

the perl fix for CVE-2013-1667 (rehashing flaw) makes t/perl/hash_attack.t
in libapache2-mod-perl2 fail, so the latter package now fails to build
from source.

Verified on both squeeze and sid/wheezy.

  t/perl/api.t ............................ ok
  request has failed (the response code was: 500)
  see t/logs/error_log for more details
  t/perl/hash_attack.t .................... 
  Dubious, test returned 255 (wstat 65280, 0xff00)
  Failed 1/1 subtests 
  [...]
  Result: FAIL
  Failed 1/242 test programs. 0/3534 subtests failed.

No patch yet, but according to Steve Hay in the above message
there is one floating around:

> I have seen a patch for it on the perl5-security list, and will
> hopefully apply it soon.

so it's probably best to wait a moment before disabling the test.
FWIW the SVN repository is at
 svn co https://svn.apache.org/repos/asf/perl/modperl/trunk
and can be browsed at
 http://svn.apache.org/viewvc/perl/modperl/trunk/

Cc'ing the security team. Once we have a fix, I suppose we'll need to
fix libapache2-mod-perl2 via stable-security?
-- 
Niko Tyni   ntyni@debian.org



Marked as found in versions libapache2-mod-perl2/2.0.4-7. Request was from Niko Tyni <ntyni@debian.org> to submit@bugs.debian.org. (Mon, 11 Mar 2013 20:51:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Tue, 12 Mar 2013 00:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 702821@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 702821@bugs.debian.org, 702821-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libapache2-mod-perl2 package
Date: Tue, 12 Mar 2013 00:01:37 +0000
tag 702821 + pending
thanks

Some bugs in the libapache2-mod-perl2 package are closed in revision
7b6d972fcb6040c4ad7f6938fc68f9aa165fb92f in branch 'master' by
Dominic Hargreaves

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=commitdiff;h=7b6d972

Commit message:

    Fix FTBFS with versions of perl including the CVE-2013-1667 fix (Closes: #702821)




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Tue, 12 Mar 2013 00:03:05 GMT) Full text and rfc822 format available.

Message sent on to Niko Tyni <ntyni@debian.org>:
Bug#702821. (Tue, 12 Mar 2013 00:03:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Tue, 12 Mar 2013 12:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 12 Mar 2013 12:09:03 GMT) Full text and rfc822 format available.

Message #20 received at 702821@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 702821@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
Date: Tue, 12 Mar 2013 13:07:37 +0100
On Mon, March 11, 2013 21:47, Niko Tyni wrote:
> Cc'ing the security team. Once we have a fix, I suppose we'll need to
> fix libapache2-mod-perl2 via stable-security?

Yes please.


Cheers,
Thijs




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Tue, 12 Mar 2013 20:36:05 GMT) Full text and rfc822 format available.

Notification sent to Niko Tyni <ntyni@debian.org>:
Bug acknowledged by developer. (Tue, 12 Mar 2013 20:36:05 GMT) Full text and rfc822 format available.

Message #25 received at 702821-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 702821-close@bugs.debian.org
Subject: Bug#702821: fixed in libapache2-mod-perl2 2.0.7-3
Date: Tue, 12 Mar 2013 20:32:54 +0000
Source: libapache2-mod-perl2
Source-Version: 2.0.7-3

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 12 Mar 2013 20:06:02 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source i386 all
Version: 2.0.7-3
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 702821
Changes: 
 libapache2-mod-perl2 (2.0.7-3) unstable; urgency=low
 .
   [ Salvatore Bonaccorso ]
   * Change Vcs-Git to canonical URI (git://anonscm.debian.org)
 .
   [ Dominic Hargreaves ]
   * Fix FTBFS with versions of perl including the CVE-2013-1667
     fix (Closes: #702821)
Checksums-Sha1: 
 fade9cf5b0f3975ecccb9c79eb395f295c72724c 2001 libapache2-mod-perl2_2.0.7-3.dsc
 95108fe302680a6cdbba0096794416fbb6e9dd59 26622 libapache2-mod-perl2_2.0.7-3.debian.tar.gz
 dd36aa52313e23104838861315ce90f60a4c1b8d 1077360 libapache2-mod-perl2_2.0.7-3_i386.deb
 2f96a3e93c98ae31cba649d87649222b7cbb126d 84808 libapache2-mod-perl2-dev_2.0.7-3_all.deb
 9994bfe6a69197cadfef1174127e81a72a143d7b 1917348 libapache2-mod-perl2-doc_2.0.7-3_all.deb
Checksums-Sha256: 
 11ade20e75c27e34e6d7b4647e4bb8d811842f2b71bfd899dcfab4d3ce59a878 2001 libapache2-mod-perl2_2.0.7-3.dsc
 84418b836b74684d6b856509896828e757cc8438629ff751969cdd9a343b5e21 26622 libapache2-mod-perl2_2.0.7-3.debian.tar.gz
 a0bc7de0d5f101939ef1745e5a8c250e14f690ea6d9f1f32e56d96eae7ec232e 1077360 libapache2-mod-perl2_2.0.7-3_i386.deb
 2d217e1cc8d8c9fdf6e62c09f57e45d46633975ae8cf231c68c39ef18fb22544 84808 libapache2-mod-perl2-dev_2.0.7-3_all.deb
 bc03a66cb305511b7d6e1679aaf02c2d2cb3091a5efe1dd42c377139930cedaf 1917348 libapache2-mod-perl2-doc_2.0.7-3_all.deb
Files: 
 bef35f1cfa5559a3cab80245be795e5e 2001 httpd optional libapache2-mod-perl2_2.0.7-3.dsc
 8fce71f43c1e7d1ba4ad6066b08cd7d4 26622 httpd optional libapache2-mod-perl2_2.0.7-3.debian.tar.gz
 d754c72a767d179f1c3c0e7b17261ea8 1077360 httpd optional libapache2-mod-perl2_2.0.7-3_i386.deb
 ede63c484d261df62d9f064505c77d4b 84808 libdevel optional libapache2-mod-perl2-dev_2.0.7-3_all.deb
 939deb2d3bc71491b2ec7110ac3a530c 1917348 doc optional libapache2-mod-perl2-doc_2.0.7-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRP49dYzuFKFF44qURAsbBAJwMEAU85nGzjIrHck6DagARYIG59ACghRhV
d9mS5KuI874nY4cKDBAvGzg=
=UdSI
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Tue, 12 Mar 2013 23:51:03 GMT) Full text and rfc822 format available.

Message #28 received at 702821@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 702821@bugs.debian.org, 702821-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libapache2-mod-perl2 package
Date: Tue, 12 Mar 2013 23:49:40 +0000
tag 702821 + pending
thanks

Some bugs in the libapache2-mod-perl2 package are closed in revision
c71d0917fc72cc5bb1f0c017c917be80e5206e0f in branch ' 
dom/squeeze-702821' by Dominic Hargreaves

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=commitdiff;h=c71d091

Commit message:

    Fix FTBFS with versions of perl including the CVE-2013-1667 fix (Closes: #702821)




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Tue, 12 Mar 2013 23:51:07 GMT) Full text and rfc822 format available.

Message sent on to Niko Tyni <ntyni@debian.org>:
Bug#702821. (Tue, 12 Mar 2013 23:51:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Tue, 12 Mar 2013 23:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 12 Mar 2013 23:54:06 GMT) Full text and rfc822 format available.

Message #38 received at 702821@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: modperl@perl.apache.org, 702821@bugs.debian.org
Subject: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Tue, 12 Mar 2013 23:51:07 +0000
Hello,

When trying to fix this issue in Debian stable, I found that the
patch at

http://svn.apache.org/viewvc?view=revision&revision=1455340

does not stop the test failing when applied to 2.0.4 (as currently
found in Debian stable) and built against the current perl package
in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says:

[Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack at /home/dom/working/pkg-perl/git/libapache2-mod-perl2/t/response/TestPerl/hash_attack.pm line 112, <fh00003Makefile> line 1.\n

This is the change:

http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b55643d7dd9de577e7918

which differs a bit from that applied to 5.14:

http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03bc6bc457029a7aef2

although interestingly both test changes are identical.

Help to pin down this difference in behaviour would be appreciated.

The source for the package in question is at

http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Wed, 13 Mar 2013 09:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steve Hay" <Steve.Hay@verosoftware.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Mar 2013 09:21:07 GMT) Full text and rfc822 format available.

Message #43 received at 702821@bugs.debian.org (full text, mbox):

From: "Steve Hay" <Steve.Hay@verosoftware.com>
To: "Dominic Hargreaves" <dom@earth.li>, <modperl@perl.apache.org>, <702821@bugs.debian.org>
Subject: RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Wed, 13 Mar 2013 09:13:15 -0000
Dominic Hargreaves wrote on 2013-03-12:
> Hello,
> 
> When trying to fix this issue in Debian stable, I found that the patch
at
> 
> http://svn.apache.org/viewvc?view=revision&revision=1455340
> 
> does not stop the test failing when applied to 2.0.4 (as currently
> found in Debian stable) and built against the current perl package in
> Debian stable (5.10 + the rehashing fix). t/logs/error_log simply
says:
> 
> [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount
> the hash collision attack at
/home/dom/working/pkg-perl/git/libapache2-
> mod-perl2/t/response/TestPerl/hash_attack.pm line 112,
<fh00003Makefile>
> line 1.\n
> 
> This is the change:
> 
> http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564
3
> d7dd9de577e7918
> 
> which differs a bit from that applied to 5.14:
> 
> http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b
c
> 6bc457029a7aef2
> 
> although interestingly both test changes are identical.
> 
> Help to pin down this difference in behaviour would be appreciated.
> 
> The source for the package in question is at
> 
> http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-
> perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821
> 
> Thanks,
> Dominic.
>


I haven't looked at the Debian package, or tried anything with
mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
Perl git repo (in fact, I took the snapshot at
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d
d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from
trunk and the tests all pass for me... (This is on Windows 7 x64 with
VC++ 2010.)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Wed, 13 Mar 2013 20:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni+modperl@mappi.helsinki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Mar 2013 20:27:06 GMT) Full text and rfc822 format available.

Message #48 received at 702821@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni+modperl@mappi.helsinki.fi>
To: Steve Hay <Steve.Hay@verosoftware.com>
Cc: Dominic Hargreaves <dom@earth.li>, modperl@perl.apache.org, 702821@bugs.debian.org
Subject: Re: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Wed, 13 Mar 2013 22:24:36 +0200
On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> Dominic Hargreaves wrote on 2013-03-12:

> > When trying to fix this issue in Debian stable, I found that the patch
> at
> > 
> > http://svn.apache.org/viewvc?view=revision&revision=1455340
> > 
> > does not stop the test failing when applied to 2.0.4 (as currently
> > found in Debian stable) and built against the current perl package in
> > Debian stable (5.10 + the rehashing fix). 

> I haven't looked at the Debian package, or tried anything with
> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
> Perl git repo (in fact, I took the snapshot at
> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d
> d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from
> trunk and the tests all pass for me... (This is on Windows 7 x64 with
> VC++ 2010.)

Thanks for checking.

FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and
mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be
a Debian change that breaks it. Maybe -Dusethreads or something like that.

I'll keep looking and send an update when I know more.
-- 
Niko Tyni   ntyni@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Wed, 13 Mar 2013 20:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Mar 2013 20:39:07 GMT) Full text and rfc822 format available.

Message #53 received at 702821@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 702821@bugs.debian.org
Subject: Re: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Wed, 13 Mar 2013 22:33:59 +0200
On Wed, Mar 13, 2013 at 10:24:36PM +0200, Niko Tyni wrote:
> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> > Dominic Hargreaves wrote on 2013-03-12:
> 
> > > When trying to fix this issue in Debian stable, I found that the patch at
> > > 
> > > http://svn.apache.org/viewvc?view=revision&revision=1455340
> > > 
> > > does not stop the test failing when applied to 2.0.4 (as currently
> > > found in Debian stable) and built against the current perl package in
> > > Debian stable (5.10 + the rehashing fix). 

> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and
> mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be
> a Debian change that breaks it. Maybe -Dusethreads or something like that.

(Trimming cc's, switching just to the BTS for now.)

With the squeeze package versions, I've narrowed the failure to

 t/TEST t/directive/perlrequire.t t/modules/apache_status.t t/perl/api.t t/perl/hash_attack.t

It looks like t/perl/api.t is generated on the first 'make test' run;
bisecting it might help in narrowing the case more.

Running t/TEST with -trace=debug gives this output in t/logs/error_log 
when the test fails:

[  debug] starting attack (it may take a long time!)
[  debug] mask: 511 (9)
[  debug]  1:    gg, 6b046200 29/64
[  debug]  2:    ne, 3c1dfc00 29/64
[  debug]  3:    qz, c17f0400 29/64
[  debug]  4:    sp, b886f000 29/64
[  debug]  5:   abp, b1672800 29/64
[  debug]  6:   bmt, 684fe600 29/64
[  debug]  7:   bqy, deb4e000 29/64
[  debug]  8:   bsg, 7be61400 29/64
[  debug]  9:   bvh, 4be1be00 29/64
[  debug] 10:   cfy, abe7f600 29/64
[  debug] 11:   elg, 06df9e00 29/64
[  debug] 12:   fra, 0001b600 29/64
[  debug] 13:   fvi, 95c6e600 29/64
[  debug] 14:   hkj, 97ab7000 29/64
[  debug] 15:   ifc, a458ee00 29/64
[  debug] 16:   ila, aab6e200 29/64
[  debug] pad keys from 56 to 64

and this one when it's OK (for example by excluding t/perlapi.t above):

[  debug] starting attack (it may take a long time!)
[  debug] mask: 511 (9)
[  debug]  1:    gg, 6b046200 28/64
[  debug]  2:    ne, 3c1dfc00 28/64
[  debug]  3:    qz, c17f0400 28/64
[  debug]  4:    sp, b886f000 28/64
[  debug]  5:   abp, b1672800 28/64
[  debug]  6:   bmt, 684fe600 28/64
[  debug]  7:   bqy, deb4e000 28/64
[  debug]  8:   bsg, 7be61400 28/64
[  debug]  9:   bvh, 4be1be00 28/64
[  debug] 10:   cfy, abe7f600 28/64
[  debug] 11:   elg, 06df9e00 28/64
[  debug] 12:   fra, 0001b600 28/64
[  debug] 13:   fvi, 95c6e600 28/64
[  debug] 14:   hkj, 97ab7000 28/64
[  debug] 15:   ifc, a458ee00 28/64
[  debug] 16:   ila, aab6e200 28/64
[  debug] pad keys from 55 to 64
[  debug] ending attack

Probably we just need a bit more tolerance somewhere in
t/response/TestPerl/hash_attack.pm but I'm out of hack
time tonight.
-- 
Niko Tyni   ntyni@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Thu, 14 Mar 2013 08:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steve Hay" <Steve.Hay@verosoftware.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Thu, 14 Mar 2013 08:57:03 GMT) Full text and rfc822 format available.

Message #58 received at 702821@bugs.debian.org (full text, mbox):

From: "Steve Hay" <Steve.Hay@verosoftware.com>
To: "Niko Tyni" <ntyni+modperl@mappi.helsinki.fi>
Cc: "Dominic Hargreaves" <dom@earth.li>, <modperl@perl.apache.org>, <702821@bugs.debian.org>
Subject: RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Thu, 14 Mar 2013 08:54:06 -0000
Niko Tyni wrote on 2013-03-13:
> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
>> Dominic Hargreaves wrote on 2013-03-12:
> 
>>> When trying to fix this issue in Debian stable, I found that the
patch
>>> at
>>> 
>>> http://svn.apache.org/viewvc?view=revision&revision=1455340
>>> 
>>> does not stop the test failing when applied to 2.0.4 (as currently
>>> found in Debian stable) and built against the current perl package
>>> in Debian stable (5.10 + the rehashing fix).
> 
>> I haven't looked at the Debian package, or tried anything with
>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
>> Perl git repo (in fact, I took the snapshot at
>> 
>>
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
mod_perl
>> from trunk and the tests all pass for me... (This is on Windows 7 x64
>> with VC++ 2010.)
> 
> Thanks for checking.
> 
> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
to
> be a Debian change that breaks it. Maybe -Dusethreads or something
like
> that.
> 
> I'll keep looking and send an update when I know more.


The perl I built and tested with was made with ithreads enabled.

There is an alternative patch to fix this test, submitted to mod_perl's
rt.cpan.org queue after I'd applied the patch from the perl5-security
queue on rt.perl.org:

https://rt.cpan.org/Ticket/Display.html?id=83916

I haven't tried it myself yet, but is that any better for you?



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Thu, 14 Mar 2013 11:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Thu, 14 Mar 2013 11:57:03 GMT) Full text and rfc822 format available.

Message #63 received at 702821@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Steve Hay <Steve.Hay@verosoftware.com>, 702821@bugs.debian.org
Cc: Niko Tyni <ntyni+modperl@mappi.helsinki.fi>, modperl@perl.apache.org, Dominic Hargreaves <dom@earth.li>
Subject: Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Thu, 14 Mar 2013 12:55:28 +0100
[Message part 1 (text/plain, inline)]
Hi all

On Thu, Mar 14, 2013 at 08:54:06AM -0000, Steve Hay wrote:
> Niko Tyni wrote on 2013-03-13:
> > On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> >> Dominic Hargreaves wrote on 2013-03-12:
> > 
> >>> When trying to fix this issue in Debian stable, I found that the
> patch
> >>> at
> >>> 
> >>> http://svn.apache.org/viewvc?view=revision&revision=1455340
> >>> 
> >>> does not stop the test failing when applied to 2.0.4 (as currently
> >>> found in Debian stable) and built against the current perl package
> >>> in Debian stable (5.10 + the rehashing fix).
> > 
> >> I haven't looked at the Debian package, or tried anything with
> >> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
> >> Perl git repo (in fact, I took the snapshot at
> >> 
> >>
> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
> >> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
> mod_perl
> >> from trunk and the tests all pass for me... (This is on Windows 7 x64
> >> with VC++ 2010.)
> > 
> > Thanks for checking.
> > 
> > FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> > and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
> to
> > be a Debian change that breaks it. Maybe -Dusethreads or something
> like
> > that.
> > 
> > I'll keep looking and send an update when I know more.
> 
> 
> The perl I built and tested with was made with ithreads enabled.
> 
> There is an alternative patch to fix this test, submitted to mod_perl's
> rt.cpan.org queue after I'd applied the patch from the perl5-security
> queue on rt.perl.org:
> 
> https://rt.cpan.org/Ticket/Display.html?id=83916
> 
> I haven't tried it myself yet, but is that any better for you?

I tried to rebuild the Squeeze package with the mentioned first patch,
the package builds now. Disclaimer: only did the build but haven't
looked what's actually changing importantly.

Thanky you Steve.

Regards,
Salvatore
[libapache2-mod-perl2_2.0.4-7+squeeze1_amd64.build.gz (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 19:00:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steve Hay" <Steve.Hay@verosoftware.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 15 Mar 2013 19:00:24 GMT) Full text and rfc822 format available.

Message #68 received at 702821@bugs.debian.org (full text, mbox):

From: "Steve Hay" <Steve.Hay@verosoftware.com>
To: "Niko Tyni" <ntyni+modperl@mappi.helsinki.fi>
Cc: "Dominic Hargreaves" <dom@earth.li>, <modperl@perl.apache.org>, <702821@bugs.debian.org>
Subject: RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Fri, 15 Mar 2013 17:56:05 -0000
[Message part 1 (text/plain, inline)]
Steve Hay wrote on 2013-03-14:
> Niko Tyni wrote on 2013-03-13:
>> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
>>> Dominic Hargreaves wrote on 2013-03-12:
>> 
>>>> When trying to fix this issue in Debian stable, I found that the
>>>> patch at
>>>> 
>>>> http://svn.apache.org/viewvc?view=revision&revision=1455340
>>>> 
>>>> does not stop the test failing when applied to 2.0.4 (as currently
>>>> found in Debian stable) and built against the current perl package
>>>> in Debian stable (5.10 + the rehashing fix).
>> 
>>> I haven't looked at the Debian package, or tried anything with
>>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from
>>> the Perl git repo (in fact, I took the snapshot at
>>> 
>>> 
>>>
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
>>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
mod_perl
>>> from trunk and the tests all pass for me... (This is on Windows 7
x64
>>> with VC++ 2010.)
>> 
>> Thanks for checking.
>> 
>> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
>> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
to
>> be a Debian change that breaks it. Maybe -Dusethreads or something
like
>> that.
>> 
>> I'll keep looking and send an update when I know more.
> 
> 
> The perl I built and tested with was made with ithreads enabled.
> 
> There is an alternative patch to fix this test, submitted to
> mod_perl's rt.cpan.org queue after I'd applied the patch from the
> perl5-security queue on rt.perl.org:
> 
> https://rt.cpan.org/Ticket/Display.html?id=83916
> 
> I haven't tried it myself yet, but is that any better for you?

Zefram has now come up with an even better patch (on the same RT
ticket), after reproducing the Debian 5.10.1 failure himself.

Please take a look (I've also attached it here for your convenience) and
let me know whether this works for you. If so then I hope to apply it to
SVN over the weekend.
[hattack_synthesis.patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 19:58:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 15 Mar 2013 19:58:08 GMT) Full text and rfc822 format available.

Message #73 received at 702821@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Steve Hay <Steve.Hay@verosoftware.com>, 702821@bugs.debian.org
Cc: Niko Tyni <ntyni+modperl@mappi.helsinki.fi>, Dominic Hargreaves <dom@earth.li>, modperl@perl.apache.org
Subject: Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Fri, 15 Mar 2013 20:43:58 +0100
Hi

On Fri, Mar 15, 2013 at 05:56:05PM -0000, Steve Hay wrote:
[...]
> Zefram has now come up with an even better patch (on the same RT
> ticket), after reproducing the Debian 5.10.1 failure himself.
> 
> Please take a look (I've also attached it here for your convenience) and
> let me know whether this works for you. If so then I hope to apply it to
> SVN over the weekend.

I can confirm that the new patch works on Debian Squeeze, with Perl
(5.10.1-17squeeze6) including the security fix.

Thank you Steve for keeping us updated!

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 20:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zefram <zefram@fysh.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 15 Mar 2013 20:39:08 GMT) Full text and rfc822 format available.

Message #78 received at 702821@bugs.debian.org (full text, mbox):

From: Zefram <zefram@fysh.org>
To: 702821@bugs.debian.org
Subject: Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Fri, 15 Mar 2013 14:03:09 +0000
The patch in svn.apache.org r1455340 is not correct for Perl 5.10 due
to a slight difference in hash splitting logic.  Full explanation and
revised patch now available on the RT ticket.

-zefram



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 23:27:04 GMT) Full text and rfc822 format available.

Message #81 received at 702821@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 702821@bugs.debian.org, 702821-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libapache2-mod-perl2 package
Date: Fri, 15 Mar 2013 23:22:56 +0000
tag 702821 + pending
thanks

Some bugs in the libapache2-mod-perl2 package are closed in revision
2fbdcea15163af48b29294c77854d29b33e25541 in branch '  squeeze' by
Dominic Hargreaves

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=commitdiff;h=2fbdcea

Commit message:

    Fix FTBFS with versions of perl including the CVE-2013-1667 fix (Closes: #702821)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 23:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 15 Mar 2013 23:27:07 GMT) Full text and rfc822 format available.

Message #86 received at 702821@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 702821@bugs.debian.org, Niko Tyni <ntyni+modperl@mappi.helsinki.fi>
Subject: Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date: Fri, 15 Mar 2013 23:25:42 +0000
On Fri, Mar 15, 2013 at 08:43:58PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Fri, Mar 15, 2013 at 05:56:05PM -0000, Steve Hay wrote:
> [...]
> > Zefram has now come up with an even better patch (on the same RT
> > ticket), after reproducing the Debian 5.10.1 failure himself.
> > 
> > Please take a look (I've also attached it here for your convenience) and
> > let me know whether this works for you. If so then I hope to apply it to
> > SVN over the weekend.
> 
> I can confirm that the new patch works on Debian Squeeze, with Perl
> (5.10.1-17squeeze6) including the security fix.

I've pushed this to

http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/squeeze

now and will upload over the weekend.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Message sent on to Niko Tyni <ntyni@debian.org>:
Bug#702821. (Fri, 15 Mar 2013 23:27:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#702821; Package libapache2-mod-perl2. (Fri, 15 Mar 2013 23:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 15 Mar 2013 23:36:04 GMT) Full text and rfc822 format available.

Message #94 received at 702821@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Thijs Kinkhorst <thijs@debian.org>, 702821@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
Date: Fri, 15 Mar 2013 23:33:55 +0000
On Tue, Mar 12, 2013 at 01:07:37PM +0100, Thijs Kinkhorst wrote:
> On Mon, March 11, 2013 21:47, Niko Tyni wrote:
> > Cc'ing the security team. Once we have a fix, I suppose we'll need to
> > fix libapache2-mod-perl2 via stable-security?
> 
> Yes please.

Hi security team,

Forgot to include you in my last update, but: there is a working fix
now in git

http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/squeeze

You can see some dialogue about the correctness of the patches in the
bug log.

May I upload this to squeeze-security?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Thu, 21 Mar 2013 22:06:11 GMT) Full text and rfc822 format available.

Notification sent to Niko Tyni <ntyni@debian.org>:
Bug acknowledged by developer. (Thu, 21 Mar 2013 22:06:11 GMT) Full text and rfc822 format available.

Message #99 received at 702821-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 702821-close@bugs.debian.org
Subject: Bug#702821: fixed in libapache2-mod-perl2 2.0.4-7+squeeze1
Date: Thu, 21 Mar 2013 22:02:05 +0000
Source: libapache2-mod-perl2
Source-Version: 2.0.4-7+squeeze1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Mar 2013 15:17:51 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source all i386
Version: 2.0.4-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 702821
Changes: 
 libapache2-mod-perl2 (2.0.4-7+squeeze1) stable-security; urgency=high
 .
   * Fix FTBFS with versions of perl including the CVE-2013-1667
     fix (Closes: #702821)
Checksums-Sha1: 
 9277de34cb90a39367248b6f82cc58ef3c75f4cf 1900 libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
 65299a16ec414a690a48a2bbe63acaa3c6bb897b 3727717 libapache2-mod-perl2_2.0.4.orig.tar.gz
 813d2f6fb3fad4a6eb2ed31f99ea46a6f7a56f41 18411 libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
 260e1c5de026de1ac1ef345f096f6dde166d2abc 78988 libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
 d7f665b185d32871bbd9bc8825b2becbf4ece727 3126440 libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
 a588c5324bb7c7448ee0b235d1c3a4df4cf290c3 1077794 libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb
Checksums-Sha256: 
 0b27ab83affb43de168d59433b7602c99ec1307519cba78915b766871397f147 1900 libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
 7da2046aa65dbef64ff5b71400bed4b6b82441e6313c8ca4becb85fb4a89a0f0 3727717 libapache2-mod-perl2_2.0.4.orig.tar.gz
 61d3c22c9cbb0ac68427fac8e5a52ede6b86b4242a6f7d6cb130f8b43ddbe05e 18411 libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
 5d7393b2a63e9c496776192e817800eec236a0d02be3117d1a8a24626244722c 78988 libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
 c47a8a5afd0e729bd7cd1165f465a5dd8552610553b6fa115a47530d44c05eb2 3126440 libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
 dfa7aabf4a70f2400739d7ecba6998caf905cefa06a3a4e85f45b6f18bc00ff5 1077794 libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb
Files: 
 33b46b6f7c1b027f3440e5c50ebcf4be 1900 httpd optional libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
 1a05625ae6843085f985f5da8214502a 3727717 httpd optional libapache2-mod-perl2_2.0.4.orig.tar.gz
 881062a0a611317f57d24c00bf03e7bc 18411 httpd optional libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
 d1eb6a47b76c60d29096819531cee11b 78988 libdevel optional libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
 06e14fb442214940d528fe8cc46e5b5b 3126440 doc optional libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
 f23cc58eb4855e8fbe05bbc8e1e856f0 1077794 httpd optional libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFRRLJ6YzuFKFF44qURApVqAKCYeNrdWn/INQFof4aO3bwiU7pNSwCgw/UI
YJED6DTYzyynOR2ZdVmOYqw=
=HsT+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 30 Aug 2013 07:28:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:44:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.