118101 2006-01-06 14:08 0000 app-emulation/wine is vulnerable to wmf exploit (CVE-2006-0106) 2006-01-17 00:45:12 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] DerCorny P2 normal --- 1 carlo@gentoo.org security@gentoo.org ari@goron.de basic@mozdev.org eldad@gentoo.org flash3001@yahoo.com genbug@piments.com johnherdy@msn.com m.debruijne@matrict.nl toto@darkside.tomsk.ru carlo@gentoo.org 2006-01-06 14:08:26 0000 It's not April the first, so I take this for real: http://blogs.zdnet.com/Ou/index.php?p=146 antonlacon@gmail.com 2006-01-06 21:32:36 0000 Created an attachment (id=76431) upstream patch for wmf exploit Patch already checked into WineHQ's cvs. http://cvs.winehq.org/cvsweb/wine/dlls/gdi/metafile.c antonlacon@gmail.com 2006-01-06 21:48:22 0000 Created an attachment (id=76432) wine-0.9.5 ebuild bumped to -r1 applying upstream fix Updated wine-0.9.5 ebuild to include the upstream fix. Applied cleanly, building now and I'm not expecting any problems so submiting ebuild. dercorny@gentoo.org 2006-01-07 06:33:25 0000 ok, waiting for an ebuild that is ready to be marked stable (ie. approved by the wine herd and if possible, commited to portage) carlo@gentoo.org 2006-01-07 06:54:27 0000 The version numbering issue blocks this, since users won't get the fixed Wine version. There's also the question, if WineX/Cedega/Transgaming stuff is affected, too. dercorny@gentoo.org 2006-01-07 07:20:32 0000 mhh, maybe backport the fixes and makes a revbump of the 2005XXXX ebuilds as workaround for the version number issue? I can't check cedega/transgaming and so on, because i don't own a copy, so i guess wine herd has to find that out. vapier@gentoo.org 2006-01-07 19:42:31 0000 we dont maintain cedega, that is all handled upstream vapier@gentoo.org 2006-01-07 20:36:49 0000 ive added the patch to all ebuilds and moved wine-20050930 to stable as for unstable, i dont really see the big deal with waiting for a 0.9.6 release to pushout the version bump carlo@gentoo.org 2006-01-08 04:35:22 0000 (In reply to comment #6) > we dont maintain cedega, that is all handled upstream We do care for it by hard masking the vulnerable ebuilds, when upstream doesn't provide an update in an acceptable amount of time. dercorny@gentoo.org 2006-01-08 08:28:33 0000 ready for glsa dercorny@gentoo.org 2006-01-09 02:44:13 0000 *** Bug 118373 has been marked as a duplicate of this bug. *** johnherdy@msn.com 2006-01-11 06:32:10 0000 the patch is applied to ebuilds without a rev.bump, this results in glsa-check not being able to detect if a system is vulnerable, by all means don't be offended, but there is a lot of noise on the dev.list about enterprise gentoo, first must be sure that users can rely on glsa's and related tools for no less then 100%, if it isn't standard procedure that security fixes are rev.bumped then enterprise gentoo will never be a reality, changing glsa-check to be able to detect if a system is vulnerable without depending on ebuild-versions is off course also a posibility. dercorny@gentoo.org 2006-01-11 06:48:20 0000 All the stable versions were rev-bumped, unstables are fixed but as you can see in comment #7, we're waiting for a new upstream release. SpanKY (or somebody else) could you commit a simple rev-bump of the latest unstable so everybody is happy? (Btw, i'm not payed for this, so i dont care too much about enterprise gentoo) vapier@gentoo.org 2006-01-11 07:18:57 0000 i'll revbump if a new wine release isnt made along their normal timeframe koon@gentoo.org 2006-01-13 00:43:08 0000 GLSA 200601-09 is out. Storklerk@ariolc.dyndns.org 2006-01-14 04:43:37 0000 I just checked my system with glsa-check and GLSA-200601-09 is wrong. a) all versions of wine-0.9* have the wmf-patch included, but are marked as vulnerable in the GLSA b) the wine-20050930 is marked as not vulnerable, but does NOT contain the patch (The commit http://www.gentoo.org/cgi-bin/viewcvs.cgi/app-emulation/wine/wine-20050930.ebuild?r1=1.7&r2=1.8 has the comment 'Add upstream patch for WMF exploit #118101', but only marks this ebuild stable without adding the epatch line!) jaervosz@gentoo.org 2006-01-14 07:04:53 0000 Thx for the report Torsten. Back to ebuild, vapier please apply patch. @ a) If patches are are applied to older ebuilds without rev-bumping them, installs from before the update are still vulnerable. vapier@gentoo.org 2006-01-14 10:39:09 0000 hmm, must have changed all of the 200x on the remote test box and forgot to commit local versions 200* are all now -* 0.9.x are all now stable stable users will be upgraded to 0.9.5 now dercorny@gentoo.org 2006-01-14 10:59:11 0000 ready for errata genbug@piments.com 2006-01-14 15:35:21 0000 >> I just checked my system with glsa-check and GLSA-200601-09 is wrong. >>a) all versions of wine-0.9* have the wmf-patch included, but are marked as vulnerable in the GLSA >>b) the wine-20050930 is marked as not vulnerable, but does NOT contain the patch OK, that is pretty slack work for Gentoo security team just banging out the usual comment "please update to most recent version" without even checking what verson they were advising people to use. But now this is a security issue HOW ABOUT someone actually dealing with the version nonsense in wine. This 20050930>0.9.x thing has been a bug in portage for six wine versions now. I posted it in October. Reposted to it twice since then. The reason it was not dealt with correctly was probably that it was marked FIXED when the fix was not to fix it. :? Maybe now would be a good time to get half of gentooland past 20050930. regards. vapier@gentoo.org 2006-01-14 15:41:33 0000 > But now this is a security issue HOW ABOUT someone actually dealing with the > version nonsense in wine. This 20050930>0.9.x thing has been a bug in portage > for six wine versions now. hey jackass why dont you read what has changed > Maybe now would be a good time to get half of gentooland past 20050930. already done, why dont you sync up your tree and check the facts before complaining genbug@piments.com 2006-01-14 17:17:02 0000 (In reply to comment #20) > > But now this is a security issue HOW ABOUT someone actually dealing with the > > version nonsense in wine. This 20050930>0.9.x thing has been a bug in portage > > for six wine versions now. > > hey jackass why dont you read what has changed > > > Maybe now would be a good time to get half of gentooland past 20050930. > > already done, why dont you sync up your tree and check the facts before > complaining > yeah right dickhead, if you want to get really grown up about this, you made a change to gentoo cvs six hours ago. [Sat Jan 14 18:39:32 2006 UTC] So how about giving it time to get to the mirrors before throwing insults. According to my system my last sycn was 18:50:01 CET , so I should not even be thinking of loading the mirrors again so soon. If my system did not pick up the changes it's probably because you forgot to commit them. It took you four friggin months to move on this and now you're getting smart because I dont sync 4 times a day. kind regards, jackass. Let's drop the insults now ,eh? vapier@gentoo.org 2006-01-14 17:54:54 0000 the reason for my pissyness was how you so offhandly refer to the security team this isnt their fault, it was mine and really i could care less about the time frame of the wine stuff, i sat on it because any solution to the issue sucked genbug@piments.com 2006-01-14 19:30:06 0000 (In reply to comment #22) > the reason for my pissyness was how you so offhandly refer to the security team > > this isnt their fault, it was mine > > and really i could care less about the time frame of the wine stuff, i sat on > it because any solution to the issue sucked > Thanks, I think the calmer approach is better. I'm not sure this is the most suitable place to go into the details of the security post but I think they could have been more rigourous in serveral respects, putting aside your mistake. However I dont believe that the earlier outburst was on their behalf , people usually react like that when they feel themselves critisised not others. It seems in keeping with your ingenuous attitude I have seen before, you slip a mod through then start sounding off at people hoping no-one will notice the timing. I recall a very similar instance with the reiser4progs ebuild. That aside, I give you credit for fairly accepting your mistake on this one and for coming back with a more reasonable tone. I admit I was expecting another flame, beg your pardon. I accept that in view of the glsa issue you had to do the quickest thing that did not require too much checking but I think a better solution could/can be found for wine. Wine can be very fickle and the older versions are quite often needed. Best regards. vapier@gentoo.org 2006-01-15 01:19:14 0000 0.9.5-r1 in portage to push out the patch changes eldad@gentoo.org 2006-01-15 02:27:50 0000 crossover-office-*-5.0.0 is also effected, a fix was issued with 5.0.1. http://crossover.codeweavers.com/pipermail/announce/2006-January/000031.html eldad@gentoo.org 2006-01-15 02:30:42 0000 BTW, regarding cedega, since portage doesn't carry the cedegea "engine", only the wrapper (the -small package), the upgrade is up to the users to update their engine. vapier@gentoo.org 2006-01-15 03:39:31 0000 crossover office cannot be upgraded unless someone gives me the file name/size/md5 information as i have no access to said files eldad@gentoo.org 2006-01-15 04:07:01 0000 just mailed codeweavers for the info, but also got the md5sum/size from #crossover on freenode: MD5 96bea3142fd096db88186f7233c5d43c install-crossover-standard-5.0.1.sh 16160351 MD5 847d4a3d7cb23d4931fc5e04ea243f53 install-crossover-pro-5.0.1.sh 16177282 dercorny@gentoo.org 2006-01-15 10:34:16 0000 Crossover office will be handled in bug #119107 vapier@gentoo.org 2006-01-15 11:09:16 0000 thanks, added 5.0.1 to portage jaervosz@gentoo.org 2006-01-17 00:45:12 0000 ERRATA issued. Thx for the notification. 76431 2006-01-06 21:32 0000 upstream patch for wmf exploit wine-wmf-exploit.patch text/plain PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQpSQ1MgZmlsZTogL2hvbWUvd2luZS93aW5lL2RsbHMvZ2RpL21ldGFmaWxlLmMs dgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMTEKcmV0cmlldmluZyByZXZpc2lvbiAxLjEyCmRpZmYg LXUgLXAgLXIxLjExIC1yMS4xMgotLS0gd2luZS9kbGxzL2dkaS9tZXRhZmlsZS5jCTIwMDYvMDEv MDMgMTI6NDM6NTIJMS4xMQorKysgd2luZS9kbGxzL2dkaS9tZXRhZmlsZS5jCTIwMDYvMDEvMDYg MjA6NTI6NDYJMS4xMgpAQCAtODYzLDYgKzg2MywxMyBAQCBCT09MIFdJTkFQSSBQbGF5TWV0YUZp bGVSZWNvcmQoIEhEQyBoZGMsCiAgICAgICAgIGJyZWFrOwogCiAgICAgY2FzZSBNRVRBX0VTQ0FQ RToKKyAgICAgICAgc3dpdGNoIChtci0+cmRQYXJtWzBdKSB7CisgICAgICAgIGNhc2UgR0VUU0NB TElOR0ZBQ1RPUjogLyogZ2V0IGZ1bmN0aW9uIC4uLiB3b3VsZCBqdXN0IE5VTEwgZGVyZWZlcmVu Y2UgKi8KKyAgICAgICAgICAgICByZXR1cm4gRkFMU0U7CisgICAgICAgIGNhc2UgU0VUQUJPUlRQ Uk9DOgorICAgICAgICAgICAgIEZJWE1FKCJGaWx0ZXJpbmcgRXNjYXBlKFNFVEFCT1JUUFJPQyks IHBvc3NpYmxlIHZpcnVzP1xuIik7CisgICAgICAgICAgICAgcmV0dXJuIEZBTFNFOworICAgICAg ICB9CiAgICAgICAgIEVzY2FwZShoZGMsIG1yLT5yZFBhcm1bMF0sIG1yLT5yZFBhcm1bMV0sIChM UENTVFIpJm1yLT5yZFBhcm1bMl0sIE5VTEwpOwogICAgICAgICBicmVhazsKIAo= 76432 2006-01-06 21:48 0000 wine-0.9.5 ebuild bumped to -r1 applying upstream fix wine-0.9.5-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6ICQKCmluaGVyaXQgZXV0aWxzIGZsYWctby1tYXRpYyBtdWx0aWxpYgoKREVTQ1JJUFRJT049 ImZyZWUgaW1wbGVtZW50YXRpb24gb2YgV2luZG93cyh0bSkgb24gVW5peCIKSE9NRVBBR0U9Imh0 dHA6Ly93d3cud2luZWhxLmNvbS8iClNSQ19VUkk9Im1pcnJvcjovL3NvdXJjZWZvcmdlLyR7UE59 L3dpbmUtJHtQVn0udGFyLmJ6MiIKCkxJQ0VOU0U9IkxHUEwtMi4xIgpTTE9UPSIwIgpLRVlXT1JE Uz0iLSogfmFtZDY0IH54ODYiCklVU0U9ImFsc2EgYXJ0cyBjdXBzIGRlYnVnIGVzZCBnaWYgZ2x1 dCBqYWNrIGpwZWcgbGNtcyBsZGFwIG5hcyBuY3Vyc2VzIG9wZW5nbCBvc3Mgc2Nhbm5lciB0cnVl dHlwZSB4bWwyIFgiClJFU1RSSUNUPSJ0ZXN0IiAjNzIzNzUKClJERVBFTkQ9Ij49bWVkaWEtbGli cy9mcmVldHlwZS0yLjAuMAoJbWVkaWEtZm9udHMvY29yZWZvbnRzCgluY3Vyc2VzPyAoID49c3lz LWxpYnMvbmN1cnNlcy01LjIgKQoJamFjaz8gKCBtZWRpYS1zb3VuZC9qYWNrLWF1ZGlvLWNvbm5l Y3Rpb24ta2l0ICkKCVg/ICggfHwgKCAoIHgxMS1saWJzL2xpYlhyYW5kcgoJCQkJeDExLWxpYnMv bGliWGkKCQkJCXgxMS1saWJzL2xpYlhtdQoJCQkJeDExLWxpYnMvbGliWHhmODZkZ2EKCQkJCXgx MS1saWJzL2xpYlh4Zjg2dm0KCQkJKQoJCQl2aXJ0dWFsL3gxMQoJCSkKCSkKCWFydHM/ICgga2Rl LWJhc2UvYXJ0cyApCglhbHNhPyAoIG1lZGlhLWxpYnMvYWxzYS1saWIgKQoJZXNkPyAoIG1lZGlh LXNvdW5kL2Vzb3VuZCApCgluYXM/ICggbWVkaWEtbGlicy9uYXMgKQoJY3Vwcz8gKCBuZXQtcHJp bnQvY3VwcyApCglvcGVuZ2w/ICggdmlydHVhbC9vcGVuZ2wgKQoJZ2lmPyAoIG1lZGlhLWxpYnMv Z2lmbGliICkKCWpwZWc/ICggbWVkaWEtbGlicy9qcGVnICkKCWxkYXA/ICggbmV0LW5kcy9vcGVu bGRhcCApCglnbHV0PyAoIHZpcnR1YWwvZ2x1dCApCglsY21zPyAoIG1lZGlhLWxpYnMvbGNtcyAp Cgl4bWwyPyAoIGRldi1saWJzL2xpYnhtbDIgZGV2LWxpYnMvbGlieHNsdCApCgl0cnVldHlwZT8g KCBtZWRpYS1saWJzL2ZyZWV0eXBlICkKCXNjYW5uZXI/ICggbWVkaWEtZ2Z4L3NhbmUtYmFja2Vu ZHMgKQoJYW1kNjQ/ICgKCQk+PWFwcC1lbXVsYXRpb24vZW11bC1saW51eC14ODYteGxpYnMtMi4x CgkJPj1hcHAtZW11bGF0aW9uL2VtdWwtbGludXgteDg2LXNvdW5kbGlicy0yLjEKCQk+PXN5cy1r ZXJuZWwvbGludXgtaGVhZGVycy0yLjYKCSkiCkRFUEVORD0iJHtSREVQRU5EfQoJWD8gKCB8fCAo ICggeDExLXByb3RvL2lucHV0cHJvdG8KCQkJCXgxMS1wcm90by94ZXh0cHJvdG8KCQkJCXgxMS1w cm90by94Zjg2ZGdhcHJvdG8KCQkJCXgxMS1wcm90by94Zjg2dmlkbW9kZXByb3RvCgkJCSkKCQkJ dmlydHVhbC94MTEKCQkpCgkpCglzeXMtZGV2ZWwvYmlzb24KCXN5cy1kZXZlbC9mbGV4IgoKcGtn X3NldHVwKCkgewoJaWYgdXNlIGFtZDY0IDsgdGhlbgoJCWlmICEgaGFzX20zMiA7IHRoZW4KCQkJ ZWVycm9yICJZb3VyIGNvbXBpbGVyIHNlZW1zIHRvIGJlIHVuYWJsZSB0byBjb21waWxlIDMyYml0 IGNvZGUuIgoJCQllZXJyb3IgIk1ha2Ugc3VyZSB5b3UgY29tcGlsZSBnY2Mgd2l0aDoiCgkJCWVj aG8KCQkJZWVycm9yICIgICAgVVNFPW11bHRpbGliIEZFQVRVUkVTPS1zYW5kYm94IgoJCQlkaWUg IkNhbm5vdCBwcm9kdWNlIDMyYml0IGNvZGUiCgkJZmkKCQlpZiBoYXNfbXVsdGlsaWJfcHJvZmls ZSA7IHRoZW4KCQkJZXhwb3J0IEFCST14ODYKCQllbHNlCgkJCWFwcGVuZC1mbGFncyAtbTMyCgkJ CWFwcGVuZC1sZGZsYWdzIC1tMzIKCQlmaQoJZmkKfQoKc3JjX3VucGFjaygpIHsKCXVucGFjayB3 aW5lLSR7UFZ9LnRhci5iejIKCWNkICIke1N9IgoKCWVwYXRjaCAiJHtGSUxFU0RJUn0iL3dpbmUt MjAwNTA1MjQtYWxzYS1oZWFkZXJzLnBhdGNoCgllcGF0Y2ggIiR7RklMRVNESVJ9Ii93aW5lYXJ0 cy1rZGVjdnMtZml4LnBhdGNoCglzZWQgLWkgJy9eVVBEQVRFX0RFU0tUT1BfREFUQUJBU0Uvczo9 Lio6PXRydWU6JyB0b29scy9NYWtlZmlsZS5pbgoJZXBhdGNoICIke0ZJTEVTRElSfSIvd2luZS0y MDA0MTAxOS1uby1zdGFjay5wYXRjaCAjNjYwMDIKCXNlZCAtaSAnL15NaW1lVHlwZS9kJyB0b29s cy93aW5lLmRlc2t0b3AgfHwgZGllICMxMTc3ODUKCWVwYXRjaCAiJHtGSUxFU0RJUn0iL3dpbmUt d21mLWV4cGxvaXQucGF0Y2gKfQoKY29uZmlnX2NhY2hlKCkgewoJbG9jYWwgaCBhbnM9Im5vIgoJ dXNlICQxICYmIGFucz0ieWVzIgoJc2hpZnQKCWZvciBoIGluICIkQCIgOyBkbwoJCVtbICR7aH0g PT0gKi5oIF1dIFwKCQkJJiYgaD1oZWFkZXJfJHtofSBcCgkJCXx8IGg9bGliXyR7aH0KCQlleHBv cnQgYWNfY3ZfJHtoLy9bOlwvLl0vX309JHthbnN9Cglkb25lCn0KCnNyY19jb21waWxlKCkgewoJ ZXhwb3J0IExEQ09ORklHPS9iaW4vdHJ1ZQoJdXNlIGFydHMgICAgfHwgZXhwb3J0IEFSVFNDQ09O RklHPSIiCgl1c2UgZXNkICAgICB8fCBleHBvcnQgRVNEQ09ORklHPSIiCgl1c2Ugc2Nhbm5lciB8 fCBleHBvcnQgc2FuZV9kZXZlbD0ibm8iCgljb25maWdfY2FjaGUgamFjayBqYWNrL2phY2suaAoJ Y29uZmlnX2NhY2hlIGN1cHMgY3Vwcy9jdXBzLmgKCWNvbmZpZ19jYWNoZSBhbHNhIGFsc2EvYXNv dW5kbGliLmggc3lzL2Fzb3VuZGxpYi5oIGFzb3VuZDpzbmRfcGNtX29wZW4KCWNvbmZpZ19jYWNo ZSBuYXMgYXVkaW8vYXVkaW9saWIuaCBhdWRpby9zb3VuZGxpYi5oCgljb25maWdfY2FjaGUgeG1s MiBsaWJ4bWwvcGFyc2VyLmggbGlieHNsdC9wYXR0ZXJuLmggbGlieHNsdC90cmFuc2Zvcm0uaAoJ Y29uZmlnX2NhY2hlIGxkYXAgbGRhcC5oIGxiZXIuaAoJY29uZmlnX2NhY2hlIGdpZiBnaWZfbGli LmgKCWNvbmZpZ19jYWNoZSBnbHV0IGdsdXQ6Z2x1dE1haW5Mb29wCgljb25maWdfY2FjaGUganBl ZyBqcGVnbGliLmgKCWNvbmZpZ19jYWNoZSBvc3Mgc3lzL3NvdW5kY2FyZC5oIG1hY2hpbmUvc291 bmRjYXJkLmggc291bmRjYXJkLmgKCWNvbmZpZ19jYWNoZSBsY21zIGxjbXMuaAoJdXNlIHg4NiAm JiBjb25maWdfY2FjaGUgdHJ1ZXR5cGUgZnJlZXR5cGU6RlRfSW5pdF9GcmVlVHlwZQoKCXN0cmlw LWZsYWdzCgl1c2UgbGNtcyAmJiBhcHBlbmQtZmxhZ3MgLUkiJHtST09UfSIvdXNyL2luY2x1ZGUv bGNtcwoKCSMJJCh1c2VfZW5hYmxlIGFtZDY0IHdpbjY0KQoJZWNvbmYgXAoJCUNDPSQodGMtZ2V0 Q0MpIFwKCQktLXN5c2NvbmZkaXI9L2V0Yy93aW5lIFwKCQkkKHVzZV93aXRoIG5jdXJzZXMgY3Vy c2VzKSBcCgkJJCh1c2Vfd2l0aCBvcGVuZ2wpIFwKCQkkKHVzZV93aXRoIFggeCkgXAoJCSQodXNl X2VuYWJsZSBkZWJ1ZyB0cmFjZSkgXAoJCSQodXNlX2VuYWJsZSBkZWJ1ZykgXAoJCXx8IGRpZSAi Y29uZmlndXJlIGZhaWxlZCIKCgllbWFrZSAtajEgZGVwZW5kIHx8IGRpZSAiZGVwZW5kIgoJZW1h a2UgYWxsIHx8IGRpZSAiYWxsIgp9CgpzcmNfaW5zdGFsbCgpIHsKCW1ha2UgXAoJCXByZWZpeD0i JHtEfSIvdXNyIFwKCQliaW5kaXI9IiR7RH0iL3Vzci9iaW4gXAoJCWRhdGFkaXI9IiR7RH0iL3Vz ci9zaGFyZSBcCgkJaW5jbHVkZWRpcj0iJHtEfSIvdXNyL2luY2x1ZGUvd2luZSBcCgkJc3lzY29u ZmRpcj0iJHtEfSIvZXRjL3dpbmUgXAoJCW1hbmRpcj0iJHtEfSIvdXNyL3NoYXJlL21hbiBcCgkJ bGliZGlyPSIke0R9Ii91c3IvJChnZXRfbGliZGlyKSBcCgkJZGxsZGlyPSIke0R9Ii91c3IvJChn ZXRfbGliZGlyKS93aW5lIFwKCQlpbnN0YWxsIHx8IGRpZQoKCWRvZG9jIEFOTk9VTkNFIEFVVEhP UlMgQlVHUyBDaGFuZ2VMb2cgREVWRUxPUEVSUy1ISU5UUyBSRUFETUUKfQoKcGtnX3Bvc3RpbnN0 KCkgewoJZWluZm8gIn4vLndpbmUvY29uZmlnIGlzIG5vdyBkZXByZWNhdGVkLiAgRm9yIGNvbmZp Z3VyYXRpb24gZWl0aGVyIHVzZSIKCWVpbmZvICJ3aW5lY2ZnIG9yIHJlZ2VkaXQgSEtDVVxcU29m dHdhcmVcXFdpbmUiCn0K