158217 2006-12-15 07:35 0000 net-dns/bind <9.3.3 : multiple remote DoS vulnerabilities 2007-03-31 18:23:54 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED INVALID http://www.isc.org/sw/bind/view?release=9.3.3 A3 [] Falco P2 normal --- 131337 1 alex@ghisoli.ch security@gentoo.org alpha@gentoo.org bugzilla@wright-family.me.uk cameron.brunner@gmail.com casta@xwing.info gengor@gentoo.org gustavoz@gentoo.org hardened@gentoo.org hermelin@ille.cz jnerin@gmail.com mips@gentoo.org sgtphou@fire-eyes.org voxus@gentoo.org alex@ghisoli.ch 2006-12-15 07:35:55 0000 ISC has a new bind version : http://www.isc.org/sw/bind/view?release=9.3.3 This new version fixe at least 2 vulnerabilities in the BIND name server could allow a remote attacker to cause a denial of service against an affected system. http://www.kb.cert.org/vuls/id/915404 http://www.kb.cert.org/vuls/id/697164 http://www.kb.cert.org/vuls/id/938617 alex@ghisoli.ch 2006-12-15 07:38:23 0000 Created an attachment (id=104090) Simple 9.3.3 ebuild This is my very dumb ebuild for version 9.3.3. jakub@gentoo.org 2006-12-15 07:57:24 0000 *** Bug 158216 has been marked as a duplicate of this bug. *** falco@gentoo.org 2006-12-15 14:27:46 0000 thanks Jakub. Hi Konstantin, this is a version bump request for you. voxus@gentoo.org 2006-12-17 09:54:30 0000 9.3.3 is committed. falco@gentoo.org 2006-12-17 15:23:11 0000 Thanks Konstantin. Hi arches, please test bind-9.3.3 and mark it stable if appropriate. falco@gentoo.org 2006-12-17 15:27:49 0000 arches, you may also want to test & stabilize bind-9.2.7 since it corrects another vulnerability in the 9.2.x branch: see bug 131337 fauli@gentoo.org 2006-12-18 00:35:34 0000 Both versions stable on x86 voxus@gentoo.org 2006-12-18 02:39:04 0000 x86: bind-tools must be in sync with bind. voxus@gentoo.org 2006-12-18 02:44:59 0000 bind{,-tools}-9.{2.7,3.3} amd64 stable. falco@gentoo.org 2006-12-18 02:55:46 0000 Sec team, after having deeply looked into the announcements, i think that the corrected vulnerabilities are old ones, which have already been corrected by patches in bind-9.3.2-r4 and bind-9.2.6-r4 ... except CVE-2006-2073 (TSIG DoS). But it is unclear which version does fix that TSIG DoS. It is possible that this vulnerability is not fixed yet. In that case, since the mentionned CVEs on [1] and [2] are : CVE-2006-4095 CVE-2006-4096 CAN-2005-0034 That would mean this bug is Invalid because these three CVEs have already been previously fixed by patches (9.3.2-r4 and 9.2.6-r4). Your opinion? [1] http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.7 [2] http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.3 fauli@gentoo.org 2006-12-18 03:01:34 0000 You can sort it out between yourselves...x86 is stable anyway with bind-tools too now. gustavoz@gentoo.org 2006-12-18 04:43:00 0000 bind-9.3.3 dies miserably on startup on my x86 hardened system: loki ~ # named -n 2 -u named -f named: stack smashing attack in function query_find() Aborted (core dumped) Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-hardened-r1 i686) ================================================================= System uname: 2.6.17-hardened-r1 i686 Intel(R) Xeon(TM) CPU 2.66GHz Gentoo Base System version 1.12.6 Last Sync: Mon, 18 Dec 2006 11:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=pentium3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distfiles.gentoo.org" LC_ALL="en_US.utf8" MAKEOPTS="-j5" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://localhost/gentoo-portage" USE="a52 aac aalib acl apache2 bash-completion bcmath berkdb bzip2 caps cli cracklib crypt ctype cups curl dba dlloader ecc elibc_glibc encode exif extensions flash foomaticdb ftp gd gdbm gif gmp hardened hash hpn iconv idea idn imap imlib innodb input_devices_keyboard input_devices_mouse ipv6 jpeg jpeg2k kernel_linux lcms ldap libclamav mailwrapper mcal mhash milter ming mmx mpm-worker mysql mysqli ncurses network nls nptl oav ogg oscar pam pcre pear perl pic plotutils png ppds readline rle samba sasl session slp snmp spell spf sse ssl tcpd theora threads tiff tokenizer tools truetype unicode userland_GNU userlocales vhosts vorbis x86 xml xml2 xorg xsl xvid zip zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS voxus@gentoo.org 2006-12-18 05:01:42 0000 gustavoz: yep, reproducible. cc'ing hardened. == Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-hardened-r1 i686) ================================================================= System uname: 2.6.17-hardened-r1 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.12.6 Last Sync: Mon, 18 Dec 2006 11:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=pentium4 -march=pentium4 -Os -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer prelink sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.shadanakar.org/ http://distfiles.gentoo.org/" MAKEOPTS="-j3" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/opt/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="bash-completion bzip2 dlloader elibc_glibc hardened input_devices_keyboard input_devices_mouse kernel_linux logrotate nptl nptlonly offensive pam pic readline ssl threads unicode userland_GNU userlocales vhosts x86 xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS gustavoz@gentoo.org 2006-12-18 05:39:12 0000 sparc stable - i'll stay around for the x86-hardened one. casta@xwing.info 2006-12-18 09:37:23 0000 Confirm the problem on hardened kernel (hardened-sources-2.6.19-r1) grsec enabled (all RBAC policies disabled) : Dec 18 09:33:45 xwing grsec: From 192.168.14.10: signal 6 sent to /usr/sbin/named[named:28981] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/named[named:625] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Dec 18 09:33:45 xwing grsec: From 192.168.14.10: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/named[named:28981] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 corsair@gentoo.org 2006-12-18 12:16:31 0000 ppc64 stable cameron.brunner@gmail.com 2006-12-19 00:41:14 0000 9.3.3 is EXTREMELY unstable locally on a hardened x86 box, just masked it do have core files here from it, no idea how to actually backtrace them tho, if anyone wants them or wants me to do something to them just tell me what bind runs in chroot Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.19-hardened-r1 i686) ================================================================= System uname: 2.6.19-hardened-r1 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.12.6 Last Sync: Tue, 19 Dec 2006 01:47:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.5, 1.6.3, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.iinet.net.au/linux/Gentoo/ http://gentoo.osuosl.org/" LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/overlays/qmr-portage /usr/portage/local/layman/php-testing /usr/portage/local/layman/php-experimental /usr/portage/local/layman/postgresql-testing /usr/portage/local/layman/xeffects /usr/portage/local/layman/xeffects-experimental" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 authdaemond bash-completion berkdb crypt dlloader elibc_glibc fam graphviz hardened idea imap input_devices_keyboard input_devices_mouse ithreads jpeg jpeg2k kernel_linux logrotate maildir nptl nptlonly pam pic rc5 readline ssl tcpd threads urandom userland_GNU userlocales valias vhosts x86 xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS hermelin@ille.cz 2006-12-19 10:12:47 0000 Portage 2.1.1-r2 (default-linux/amd64/2006.1, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17.13 x86_64) ================================================================= System uname: 2.6.17.13 x86_64 AMD Opteron(tm) Processor 246 Gentoo Base System version 1.12.6 Last Sync: Tue, 19 Dec 2006 17:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bitmap-fonts bzlib calendar chroot cli cracklib crypt cscope ctype cups curl curlwrappers dba dbm dbx dedicated dio dlloader dri elibc_glibc erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps hardened imap imlib inifile innodb input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos kernel_linux libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash mime ming mmap mng msession mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive pam pcntl pcre pdflib perl php pic pie png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey snmp sockets spell spl ssl sysvipc szip tcpd threads tidy tiff tokensizer truetype-fonts type1-fonts udev unicode usb userland_GNU vhosts video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo wmf xml xml-rpc xml2 xorg xsl zeo zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS I yesterday tried upgrade to bind 9.3.3 [ebuild U ] net-dns/bind-9.3.3 [9.3.2-r4] USE="berkdb idn ipv6 mysql odbc ssl threads -dlz -doc -ldap -postgres -resolvconf% (-selinux)" 0 kB After upgrade a restart named but after few seconds crashed down without any errors in my daemond logs. Version 9.3.2-r4 works great. dertobi123@gentoo.org 2006-12-19 12:27:58 0000 ppc stable, nixnut tested on hardened/ppc and couldn't reproduce any errors. voxus@gentoo.org 2006-12-20 12:54:59 0000 wrt comment #10 - i think, we should mask bind-9.3.3 until stability issues are sorted out. ? killerfox@gentoo.org 2006-12-20 13:54:23 0000 stable on hppa. voxus@gentoo.org 2006-12-21 06:37:53 0000 so i'm going to mask bind/bind-tools 9.2.7/9.3.3 tomorrow, 22-12-2006, since there are no objections against it. falco@gentoo.org 2006-12-21 07:17:31 0000 (In reply to comment #22) > so i'm going to mask bind/bind-tools 9.2.7/9.3.3 tomorrow, 22-12-2006, since > there are no objections against it. > As you want. I think there is no security issue in the portage tree fixed with these versions. I'll close that bug as Invalid unless someone disagrees here. voxus@gentoo.org 2006-12-22 02:08:06 0000 bind{,-tools}-9.{2.7,3.3} masked. jnerin@gmail.com 2007-01-02 01:24:04 0000 Well, I have the same problem, bind-9.3.3 was only capable of answering the first request for a local domain, after answering it died with "named: stack smashing attack in function query_find()", I reported it in bug 158664 comment #8, you have to run named from command line in order to see the error. I think the problem could be in the -O flag of gcc I was able to run bind-9.3.3 stable downgrading from -O2 to just -O. I'm using bind chrooted in a hardened amd64. falco@gentoo.org 2007-01-07 21:53:43 0000 Closing as Invalid since 9.3.3 brings no security fix; please follow bug 158664 if you are concerned about the 9.3.3 stack smashing issues. Feel free to reopen if you disagree armin76@gentoo.org 2007-03-31 18:23:54 0000 ia64 done 104090 2006-12-15 07:38 0000 Simple 9.3.3 ebuild bind-9.3.3.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6JAoKaW5oZXJpdCBldXRpbHMgbGlidG9vbCBhdXRvdG9vbHMKCkRMWl9WRVJTSU9OPSI5LjMu MmIxIgpNWV9QPSIke1B9IgpNWV9QVj0iJHtQVn0iCgpERVNDUklQVElPTj0iQklORCAtIEJlcmtl bGV5IEludGVybmV0IE5hbWUgRG9tYWluIC0gTmFtZSBTZXJ2ZXIiCkhPTUVQQUdFPSJodHRwOi8v d3d3LmlzYy5vcmcvcHJvZHVjdHMvQklORC9iaW5kOS5odG1sIgpTUkNfVVJJPSJmdHA6Ly9mdHAu aXNjLm9yZy9pc2MvYmluZDkvJHtNWV9QVn0vJHtNWV9QfS50YXIuZ3oKCWRvYz8gKCBtaXJyb3I6 Ly9nZW50b28vZHluZG5zLXNhbXBsZXMudGJ6MiApCglkbHo/ICggaHR0cDovL2Rldi5nZW50b28u b3JnL352b3h1cy9iaW5kL2N0cml4X2Rsel8ke0RMWl9WRVJTSU9OfS5wYXRjaC5iejIgKSIKCkxJ Q0VOU0U9ImFzLWlzIgpTTE9UPSIwIgpLRVlXT1JEUz0ifmFscGhhIH5hbWQ2NCB+YXJtIH5ocHBh IH5pYTY0IH5taXBzIH5wcGMgfnBwYzY0IH5zMzkwIH5zaCB+c3BhcmMgfng4NiB+eDg2LWZic2Qi CklVU0U9InNzbCBpcHY2IGRvYyBkbHogcG9zdGdyZXMgYmVya2RiIG15c3FsIG9kYmMgbGRhcCBz ZWxpbnV4IGlkbiB0aHJlYWRzIgoKREVQRU5EPSJzc2w/ICggPj1kZXYtbGlicy9vcGVuc3NsLTAu OS42ZyApCglteXNxbD8gKCA+PXZpcnR1YWwvbXlzcWwtNC4wICkKCW9kYmM/ICggPj1kZXYtZGIv dW5peE9EQkMtMi4yLjYgKQoJbGRhcD8gKCBuZXQtbmRzL29wZW5sZGFwICkiCgpSREVQRU5EPSIk e0RFUEVORH0KCXNlbGludXg/ICggc2VjLXBvbGljeS9zZWxpbnV4LWJpbmQgKSIKClM9JHtXT1JL RElSfS8ke01ZX1B9Cgpwa2dfc2V0dXAoKSB7Cgl1c2UgdGhyZWFkcyAmJiB7CgkJZWNobwoJCWV3 YXJuICJJZiB5b3UncmUgaW4gdnNlcnZlciBlbnZpcm9tZW50LCB5b3UncmUgcHJvYmFibHkgd2Fu dCB0byIKCQlld2FybiAiZGlzYWJsZSB0aHJlYWRzIHN1cHBvcnQgYmVjYXVzZSBvZiBsaW51eCBj YXBhYmlsaXRpZXMgZGVwZW5kZW5jeSIKCQllY2hvCgl9CgoJZWJlZ2luICJDcmVhdGluZyBuYW1l ZCBncm91cCBhbmQgdXNlciIKCWVuZXdncm91cCBuYW1lZCA0MAoJZW5ld3VzZXIgbmFtZWQgNDAg LTEgL2V0Yy9iaW5kIG5hbWVkCgllZW5kICR7P30KfQoKc3JjX3VucGFjaygpIHsKCXVucGFjayAk e0F9CgljZCAiJHtTfSIKCgkjIEFkanVzdGluZyBQQVRIcyBpbiBtYW5wYWdlcwoJZm9yIGkgaW4g YmluL3tuYW1lZC9uYW1lZC44LGNoZWNrL25hbWVkLWNoZWNrY29uZi44LHJuZGMvcm5kYy44fSA7 IGRvCgkJc2VkIC1pIFwKCQkJLWUgJ3M6L2V0Yy9uYW1lZC5jb25mOi9ldGMvYmluZC9uYW1lZC5j b25mOmcnIFwKCQkJLWUgJ3M6L2V0Yy9ybmRjLmNvbmY6L2V0Yy9iaW5kL3JuZGMuY29uZjpnJyBc CgkJCS1lICdzOi9ldGMvcm5kYy5rZXk6L2V0Yy9iaW5kL3JuZGMua2V5OmcnIFwKCQkJIiR7aX0i Cglkb25lCgoJdXNlIGRseiAmJiB7CgkJZXBhdGNoICR7RElTVERJUn0vY3RyaXhfZGx6XyR7RExa X1ZFUlNJT059LnBhdGNoLmJ6MgoJCWVwYXRjaCAke0ZJTEVTRElSfS8ke1BOfS1kbHpiZGItaW5j bHVkZXMucGF0Y2gKCgkJdXNlIG9kYmMgJiYgZXBhdGNoICR7RklMRVNESVJ9LyR7UH0tbWlzc2lu Z19vZGJjX3Rlc3QucGF0Y2gKCX0KCgl1c2UgaWRuICYmIGVwYXRjaCAke1N9L2NvbnRyaWIvaWRu L2lkbmtpdC0xLjAtc3JjL3BhdGNoL2JpbmQ5LyR7UH0tcGF0Y2gKCgkjIHNob3VsZCBiZSBpbnN0 YWxsZWQgYnkgYmluZC10b29scwoJc2VkIC1lICJzOm5zdXBkYXRlIDo6ZyIgLWkgJHtTfS9iaW4v TWFrZWZpbGUuaW4KCglXQU5UX0FVVE9DT05GPTIuNSBBVF9OT19SRUNVUlNJVkU9MSBlYXV0b3Jl Y29uZiB8fCBkaWUgImVhdXRvcmVjb25mIGZhaWxlZCIKCgkjIGJ1ZyAjMTUxODM5CglzZWQgXAoJ CS1lICdzOkNERUZJTkVTID0gOkNERUZJTkVTID0gLVVTT19CU0RDT01QQVQ6JyBcCgkJLWkgbGli L2lzYy91bml4L01ha2VmaWxlLmluCn0KCnNyY19jb21waWxlKCkgewoJbG9jYWwgbXljb25mPSIi CgoJdXNlIHNzbCAmJiBteWNvbmY9IiR7bXljb25mfSAtLXdpdGgtb3BlbnNzbCIKCgl1c2UgZGx6 ICYmIHsKCQlteWNvbmY9IiR7bXljb25mfSAtLXdpdGgtZGx6LWZpbGVzeXN0ZW0gLS13aXRoLWRs ei1zdHViIgoJCXVzZSBwb3N0Z3JlcyAmJiBteWNvbmY9IiR7bXljb25mfSAtLXdpdGgtZGx6LXBv c3RncmVzIgoJCXVzZSBteXNxbCAmJiBteWNvbmY9IiR7bXljb25mfSAtLXdpdGgtZGx6LW15c3Fs IgoJCXVzZSBiZXJrZGIgJiYgbXljb25mPSIke215Y29uZn0gLS13aXRoLWRsei1iZGIiCgkJdXNl IGxkYXAgICYmIG15Y29uZj0iJHtteWNvbmZ9IC0td2l0aC1kbHotbGRhcCIKCQl1c2Ugb2RiYyAg JiYgbXljb25mPSIke215Y29uZn0gLS13aXRoLWRsei1vZGJjIgoJfQoKCWlmIHVzZSB0aHJlYWRz OyB0aGVuCgkJaWYgdXNlIGRseiAmJiB1c2UgbXlzcWw7IHRoZW4KCQkJZWNobwoJCQlld2FybiAi IgoJCQllaW5mbyAiTXlTUUwgdXNlcyB0aHJlYWQgbG9jYWwgc3RvcmFnZSBpbiBpdHMgQyBhcGku IFRodXMgTXlTUUwiCgkJCWVpbmZvICJyZXF1aXJlcyB0aGF0IGVhY2ggdGhyZWFkIG9mIGFuIGFw cGxpY2F0aW9uIGV4ZWN1dGUgYSBNeVNRTCIKCQkJZWluZm8gIlwidGhyZWFkIGluaXRpYWxpemF0 aW9uXCIgdG8gc2V0dXAgdGhlIHRocmVhZCBsb2NhbCBzdG9yYWdlLiIKCQkJZWluZm8gIlRoaXMg aXMgaW1wb3NzaWJsZSB0byBkbyBzYWZlbHkgd2hpbGUgc3RheWluZyB3aXRoaW4gdGhlIERMWiIK CQkJZWluZm8gImRyaXZlciBBUEkuIFRoaXMgaXMgYSBsaW1pdGF0aW9uIGNhdXNlZCBieSBNeVNR TCwgYW5kIG5vdCIKCQkJZWluZm8gInRoZSBETFogQVBJLiIKCQkJZXdhcm4gIkJlY2F1c2Ugb2Yg dGhpcyBCSU5EIE1VU1Qgb25seSBydW4gd2l0aCBhIHNpbmdsZSB0aHJlYWQgd2hlbiIKCQkJZXdh cm4gInVzaW5nIHRoZSBNeVNRTCBkcml2ZXIuIgoJCQllY2hvCgkJCW15Y29uZj0iJHtteWNvbmZ9 IC0tZGlzYWJsZS1saW51eC1jYXBzIC0tZGlzYWJsZS10aHJlYWRzIgoJCQllaW5mbyAiVGhyZWFk aW5nIHN1cHBvcnQgZGlzYWJsZWQiCgkJCWVwYXVzZSAxMAoJCWVsc2UKCQkJbXljb25mPSIke215 Y29uZn0gLS1lbmFibGUtbGludXgtY2FwcyAtLWVuYWJsZS10aHJlYWRzIgoJCQllaW5mbyAiVGhy ZWFkaW5nIHN1cHBvcnQgZW5hYmxlZCIKCQlmaQoJZWxzZQoJCW15Y29uZj0iJHtteWNvbmZ9IC0t ZGlzYWJsZS1saW51eC1jYXBzIC0tZGlzYWJsZS10aHJlYWRzIgoJZmkKCgllY29uZiBcCgkJLS1z eXNjb25mZGlyPS9ldGMvYmluZCBcCgkJLS1sb2NhbHN0YXRlZGlyPS92YXIgXAoJCS0td2l0aC1s aWJ0b29sIFwKCQlgdXNlX2VuYWJsZSBpcHY2YCBcCgkJJHtteWNvbmZ9IHx8IGRpZSAiZWNvbmYg ZmFpbGVkIgoKCWVtYWtlIC1qMSB8fCBkaWUgImZhaWxlZCB0byBjb21waWxlIGJpbmQiCgoJdXNl IGlkbiAmJiB7CgkJY2QgJHtTfS9jb250cmliL2lkbi9pZG5raXQtMS4wLXNyYwoJCWVjb25mIHx8 IGRpZSAiaWRuIGVjb25mIGZhaWxlZCIKCQllbWFrZSB8fCBkaWUgImlkbiBlbWFrZSBmYWlsZWQi Cgl9Cn0KCnNyY19pbnN0YWxsKCkgewoJZWluc3RhbGwgfHwgZGllICJmYWlsZWQgdG8gaW5zdGFs bCBiaW5kIgoKCWRvZG9jIENIQU5HRVMgQ09QWVJJR0hUIEZBUSBSRUFETUUKCgl1c2UgZG9jICYm IHsKCQlkb2NpbnRvIG1pc2MKCQlkb2RvYyBkb2MvbWlzYy8qCgoJCWRvY2ludG8gaHRtbAoJCWRv aHRtbCBkb2MvYXJtLyoKCgkJZG9jaW50bwlkcmFmdAoJCWRvZG9jIGRvYy9kcmFmdC8qCgoJCWRv Y2ludG8gcmZjCgkJZG9kb2MgZG9jL3JmYy8qCgoJCWRvY2ludG8gY29udHJpYgoJCWRvZG9jIGNv bnRyaWIvbmFtZWQtYm9vdGNvbmYvbmFtZWQtYm9vdGNvbmYuc2ggXAoJCQljb250cmliL25hbm55 L25hbm55LnBsCgoJCSMgc29tZSBoYW5keS1kYW5keSBkeW5hbWljIGRucyBleGFtcGxlcwoJCWNk ICR7RH0vdXNyL3NoYXJlL2RvYy8ke1BGfQoJCXRhciBwanhmICR7RElTVEZJTEVTfS9keW5kbnMt c2FtcGxlcy50YnoyCgl9CgoJaW5zaW50byAvZXRjL2Vudi5kCgluZXdpbnMgJHtGSUxFU0RJUn0v MTBiaW5kLmVudiAxMGJpbmQKCglkb2RpciAvZXRjL2JpbmQgL3Zhci9iaW5kL3twcmksc2VjfQoJ a2VlcGRpciAvdmFyL2JpbmQvc2VjCgoJaW5zaW50byAvZXRjL2JpbmQgOyBuZXdpbnMgJHtGSUxF U0RJUn0vbmFtZWQuY29uZi1yMyBuYW1lZC5jb25mCgoJIyBmdHA6Ly9mdHAucnMuaW50ZXJuaWMu bmV0L2RvbWFpbi9uYW1lZC5jYToKCWluc2ludG8gL3Zhci9iaW5kIDsgZG9pbnMgJHtGSUxFU0RJ Un0vbmFtZWQuY2EKCglpbnNpbnRvIC92YXIvYmluZC9wcmkKCWRvaW5zICR7RklMRVNESVJ9LzEy Ny56b25lCgluZXdpbnMgJHtGSUxFU0RJUn0vbG9jYWxob3N0LnpvbmUtcjEgbG9jYWxob3N0Lnpv bmUKCgljcCAke0ZJTEVTRElSfS9uYW1lZC5pbml0LXI0ICR7VH0vbmFtZWQgJiYgZG9pbml0ZCAk e1R9L25hbWVkCgljcCAke0ZJTEVTRElSfS9uYW1lZC5jb25mZC1yMSAke1R9L25hbWVkICYmIGRv Y29uZmQgJHtUfS9uYW1lZAoKCWRvc3ltIC4uLy4uL3Zhci9iaW5kL25hbWVkLmNhIC92YXIvYmlu ZC9yb290LmNhY2hlCglkb3N5bSAuLi8uLi92YXIvYmluZC9wcmkgL2V0Yy9iaW5kL3ByaQoJZG9z eW0gLi4vLi4vdmFyL2JpbmQvc2VjIC9ldGMvYmluZC9zZWMKCglpZiB1c2UgaWRuOyB0aGVuCgkJ Y2QgJHtTfS9jb250cmliL2lkbi9pZG5raXQtMS4wLXNyYwoJCWVpbnN0YWxsIHx8IGRpZSAiZmFp bGVkIHRvIGluc3RhbGwgaWRuIGtpdCIKCQlkb2NpbnRvIGlkbgoJCWRvZG9jIENoYW5nZUxvZyBJ TlNUQUxMeywuamF9IFJFQURNRXssLmphfSBORVdTCglmaQoKCSMgTGV0J3MgZ2V0IHJpZCBvZiB0 aG9zZSB0b29scyBhbmQgdGhlaXIgbWFucGFnZXMgc2luY2UgdGhleSdyZSBwcm92aWRlZCBieSBi aW5kLXRvb2xzCglybSAtZiAke0R9L3Vzci9zaGFyZS9tYW4vbWFuMS97ZGlnLjEsaG9zdC4xLG5z bG9va3VwLjF9CglybSAtZiAke0R9L3Vzci9iaW4ve2RpZyxob3N0LG5zbG9va3VwfQp9Cgpwa2df cG9zdGluc3QoKSB7CglpZiBbICEgLWYgJy9ldGMvYmluZC9ybmRjLmtleScgXTsgdGhlbgoJCWlm IFsgLWMgL2Rldi91cmFuZG9tIF07IHRoZW4KCQkJZWluZm8gIlVzaW5nIC9kZXYvdXJhbmRvbSBm b3IgZ2VuZXJhdGluZyBybmRjLmtleSIKCQkJL3Vzci9zYmluL3JuZGMtY29uZmdlbiAtciAvZGV2 L3VyYW5kb20gLWEgLXUgbmFtZWQKCQkJZWNobwoJCWVsc2UKCQkJZWluZm8gIlVzaW5nIC9kZXYv cmFuZG9tIGZvciBnZW5lcmF0aW5nIHJuZGMua2V5IgoJCQkvdXNyL3NiaW4vcm5kYy1jb25mZ2Vu IC1hIC11IG5hbWVkCgkJCWVjaG8KCQlmaQoJZmkKCglpbnN0YWxsIC1kIC1vIG5hbWVkIC1nIG5h bWVkICR7Uk9PVH0vdmFyL3J1bi9uYW1lZCBcCgkJJHtST09UfS92YXIvYmluZC9wcmkgJHtST09U fS92YXIvYmluZC9zZWMKCWNob3duIC1SIG5hbWVkOm5hbWVkICR7Uk9PVH0vdmFyL2JpbmQKCgll aW5mbyAiVGhlIGRlZmF1bHQgem9uZSBmaWxlcyBhcmUgbm93IGluc3RhbGxlZCBhcyAqLnpvbmUs IgoJZWluZm8gImJlIGNhcmVmdWwgbWVyZ2luZyBjb25maWcgZmlsZXMgaWYgeW91IGhhdmUgbW9k aWZpZWQiCgllaW5mbyAiL3Zhci9iaW5kL3ByaS8xMjcgb3IgL3Zhci9iaW5kL3ByaS9sb2NhbGhv c3QiCgllaW5mbwoJZWluZm8gIllvdSBjYW4gZWRpdCAvZXRjL2NvbmYuZC9uYW1lZCB0byBjdXN0 b21pemUgbmFtZWQgc2V0dGluZ3MiCgllaW5mbwoJZWluZm8gIlRoZSBCSU5EIGVidWlsZCBub3cg aW5jbHVkZXMgY2hyb290IHN1cHBvcnQuIgoJZWluZm8gIklmIHlvdSBsaWtlIHRvIHJ1biBiaW5k IGluIGNocm9vdCBBTkQgdGhpcyBpcyBhIG5ldyBpbnN0YWxsIE9SIgoJZWluZm8gInlvdXIgYmlu ZCBkb2Vzbid0IGFscmVhZHkgcnVuIGluIGNocm9vdCwgc2ltcGx5IHJ1bjoiCgllaW5mbyAiXGBl bWVyZ2UgLS1jb25maWcgJz0ke0NBVEVHT1JZfS8ke1BGfSdcYCIKCWVpbmZvICJCZWZvcmUgcnVu bmluZyB0aGUgYWJvdmUgY29tbWFuZCB5b3UgbWlnaHQgd2FudCB0byBjaGFuZ2UgdGhlIGNocm9v dCIKCWVpbmZvICJkaXIgaW4gL2V0Yy9jb25mLmQvbmFtZWQuIE90aGVyd2lzZSAvY2hyb290L2Ru cyB3aWxsIGJlIHVzZWQuIgoJZWNobwoJZWluZm8gIlJlY2VudGx5IHZlcmlzaWduIGFkZGVkIGEg d2lsZGNhcmQgQSByZWNvcmQgdG8gdGhlIC5DT00gYW5kIC5ORVQgVExEIgoJZWluZm8gInpvbmVz IG1ha2luZyBhbGwgLmNvbSBhbmQgLm5ldCBkb21haW5zIGFwcGVhciB0byBiZSByZWdpc3RlcmVk IgoJZWluZm8gIlRoaXMgY2F1c2VzIG1hbnkgcHJvYmxlbXMgc3VjaCBhcyBicmVha2luZyBpbXBv cnRhbnQgYW50aS1zcGFtIGNoZWNrcyIKCWVpbmZvICJ3aGljaCB2ZXJpZnkgc291cmNlIGRvbWFp bnMgZXhpc3QuIElTQyByZWxlYXNlZCBhIHBhdGNoIGZvciBCSU5EIHdoaWNoIgoJZWluZm8gImFk ZHMgJ2RlbGVnYXRpb24tb25seScgem9uZXMgdG8gYWxsb3cgYWRtaW5zIHRvIHJldHVybiB0aGUg LmNvbSBhbmQgLm5ldCIKCWVpbmZvICJkb21haW4gcmVzb2x1dGlvbiB0byB0aGVpciBub3JtYWwg ZnVuY3Rpb24uIgoJZWNobwoJZWluZm8gIlRoZXJlIGlzIG5vIG5lZWQgdG8gY3JlYXRlIGEgY29t IG9yIG5ldCBkYXRhIGZpbGUuIEp1c3QgdGhlIgoJZWluZm8gImVudHJpZXMgdG8gdGhlIG5hbWVk LmNvbmYgZmlsZSBpcyBlbm91Z2guIgoJZWNobwoJZWluZm8gIgl6b25lICJjb20iIElOIHsgdHlw ZSBkZWxlZ2F0aW9uLW9ubHk7IH07IgoJZWluZm8gIgl6b25lICJuZXQiIElOIHsgdHlwZSBkZWxl Z2F0aW9uLW9ubHk7IH07IgoKCWVjaG8KCWV3YXJuICJCSU5EID49OS4yLjUgbWFrZXMgdGhlIHBy aW9yaXR5IGFyZ3VtZW50IHRvIE1YIHJlY29yZHMgbWFuZGF0b3J5IgoJZXdhcm4gIndoZW4gaXQg d2FzIHByZXZpb3VzbHkgb3B0aW9uYWwuICBJZiB0aGUgcHJpb3JpdHkgaXMgbWlzc2luZywgQklO RCIKCWV3YXJuICJ3b24ndCBsb2FkIHRoZSB6b25lIGZpbGUgYXQgYWxsLiIKCWVjaG8KfQoKcGtn X2NvbmZpZygpIHsKCUNIUk9PVD1gc2VkIC1uICdzL15bWzpibGFuazpdXVw/Q0hST09UPSJcKFte Il1cK1wpIi9cMS9wJyAvZXRjL2NvbmYuZC9uYW1lZCAyPi9kZXYvbnVsbGAKCUVYSVNUUz0ibm8i CgoJaWYgWyAteiAiJHtDSFJPT1R9IiAtYSAhIC1kICIvY2hyb290L2RucyIgXTsgdGhlbgoJCUNI Uk9PVD0iL2Nocm9vdC9kbnMiCgllbGlmIFsgLWQgJHtDSFJPT1R9IF07IHRoZW4KCQllZXJyb3I7 IGVlcnJvciAiJHtDSFJPT1Q6LS9jaHJvb3QvZG5zfSBhbHJlYWR5IGV4aXN0cy4gUXVpdHRpbmcu IjsgZWVycm9yOyBFWElTVFM9InllcyIKCWZpCgoJaWYgWyAhICIkRVhJU1RTIiA9IHllcyBdOyB0 aGVuCgkJZWluZm8gOyBlaW5mb24gIlNldHRpbmcgdXAgdGhlIGNocm9vdCBkaXJlY3RvcnkuLi4i CgkJbWtkaXIgLW0gNzAwIC1wICR7Q0hST09UfQoJCW1rZGlyIC1wICR7Q0hST09UfS97ZGV2LGV0 Yyx2YXIvcnVuL25hbWVkfQoJCWNob3duIC1SIG5hbWVkOm5hbWVkICR7Q0hST09UfS92YXIvcnVu L25hbWVkCgkJY3AgLVIgL2V0Yy9iaW5kICR7Q0hST09UfS9ldGMvCgkJY3AgL2V0Yy9sb2NhbHRp bWUgJHtDSFJPT1R9L2V0Yy9sb2NhbHRpbWUKCQljaG93biBuYW1lZDpuYW1lZCAke0NIUk9PVH0v ZXRjL2JpbmQvcm5kYy5rZXkKCQljcCAtUiAvdmFyL2JpbmQgJHtDSFJPT1R9L3Zhci8KCQljaG93 biAtUiBuYW1lZDpuYW1lZCAke0NIUk9PVH0vdmFyLwoJCW1rbm9kICR7Q0hST09UfS9kZXYvemVy byBjIDEgNQoJCW1rbm9kICR7Q0hST09UfS9kZXYvcmFuZG9tIGMgMSA4CgkJY2htb2QgNjY2ICR7 Q0hST09UfS9kZXYve3JhbmRvbSx6ZXJvfQoJCWNob3duIHJvb3Q6bmFtZWQgJHtDSFJPT1R9CgkJ Y2htb2QgMDc1MCAke0NIUk9PVH0KCgkJZ3JlcCAtcSAiXiNbWzpibGFuazpdXVw/Q0hST09UIiAv ZXRjL2NvbmYuZC9uYW1lZCA7IFJFVFZBTD0kPwoJCWlmIFsgJFJFVFZBTCA9IDAgXTsgdGhlbgoJ CQlzZWQgJ3MvXiMgXD9cKENIUk9PVC4qXCkkL1wxLycgL2V0Yy9jb25mLmQvbmFtZWQgPiAvZXRj L2NvbmYuZC9uYW1lZC5vcmlnIDI+L2Rldi9udWxsCgkJCW12IC0tZm9yY2UgL2V0Yy9jb25mLmQv bmFtZWQub3JpZyAvZXRjL2NvbmYuZC9uYW1lZAoJCWZpCgoJCXNsZWVwIDE7IGVjaG8gIiBEb25l LiI7IHNsZWVwIDEKCQllaW5mbwoJCWVpbmZvICJBZGQgdGhlIGZvbGxvd2luZyB0byB5b3VyIHJv b3QgLmJhc2hyYyBvciAuYmFzaF9wcm9maWxlOiAiCgkJZWluZm8gIiAgIGFsaWFzIHJuZGM9J3Ju ZGMgLWsgJHtDSFJPT1R9L2V0Yy9iaW5kL3JuZGMua2V5JyIKCQllaW5mbyAiVGhlbiBkbyB0aGUg Zm9sbG93aW5nOiAiCgkJZWluZm8gIiAgIHNvdXJjZSAvcm9vdC8uYmFzaHJjIG9yIC5iYXNoX3By b2ZpbGUiCgkJZWluZm8KCWZpCn0K