167706 2007-02-20 01:02 0000 app-office/gnucash < 2.0.5 insecure temp file (CVE-2007-0007) 2007-04-09 18:51:19 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://sourceforge.net/project/shownotes.php?release_id=487446 B3 [noglsa] jaervosz P2 minor --- 161781 162010 1 aetius@gentoo.org security@gentoo.org avuton@gmail.com gnome-office@gentoo.org hkbst@gentoo.org seemant@gentoo.org aetius@gentoo.org 2007-02-20 01:02:46 0000 http://secunia.com/advisories/24225/ Apparently a typical symlink attack. Secunia says local privilege escalation - I have a hard time seeing that, but local user exploitation might be useful. Fix is to update to 2.0.5 (their current stable). I'll try to have a look at the exact vulnerability if I get a chance tomorrow. aetius@gentoo.org 2007-02-20 11:52:34 0000 setting status. aetius@gentoo.org 2007-03-04 00:53:38 0000 Ok 2.0.5 is in the tree, thanks seemant & dsd. Arches, please stabilize 2.0.5 . tester@gentoo.org 2007-03-04 01:47:35 0000 This new version of gnucash pulls in these: dev-scheme/guile-1.8.1-r3 dev-scheme/slib-3.1.1-r1 dev-libs/g-wrap-1.9.6-r3 most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today.. I'm not very convertable with the idea of stabilizing it. Would it be possible to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4) ticho@gentoo.org 2007-03-04 09:30:49 0000 (In reply to comment #3) > most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today.. > I'm not very convertable with the idea of stabilizing it. Would it be possible > to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4) > Then stabilize -r1 (which has been in the tree since Jan 25th), as gnucash-2.0.5 wants >=dev-scheme/guile-1.8. For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started breaking ChangeLog format badly, which makes me uncomfortable. For slib, x86 will stay with 3.1.1, which is currently marked stable, unless suggested otherwise by maintainers or security. I'm off to test now. ticho@gentoo.org 2007-03-04 09:35:25 0000 (In reply to comment #4) I synced the tree again, and... > Then stabilize -r1 (which has been in the tree since Jan 25th), as > gnucash-2.0.5 wants >=dev-scheme/guile-1.8. Gah, -r1 no longer in the tree. > For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started > breaking ChangeLog format badly, which makes me uncomfortable. Same here, only -r3 available, in the tree for 2 days. > For slib, x86 will stay with 3.1.1, which is currently marked stable, unless > suggested otherwise by maintainers or security. At least this still stands. So, I'm joining Oliver in his worries about too new packages. hkbst@gentoo.org 2007-03-04 11:17:22 0000 (In reply to comment #3) > This new version of gnucash pulls in these: > dev-scheme/guile-1.8.1-r3 there are still a few open bugs which are easy to fix by adding use flag checking for "deprecated" and for beast and geda depending on guile-1.6*. All this stuff has been detected because guile-1.8.1 has been in the tree since 22 Jan 2007. Tests still fail though. > dev-scheme/slib-3.1.1-r1 no reason not to stable. It installs some more files than slib-3.1.1 does, so it works with guile-1.6.8 also. > dev-libs/g-wrap-1.9.6-r3 The bug where reinstalling g-wrap broke it was only recently fixed. I've removed all versions which suffered from this. Tests still fail, probably because of missing guile lib. Gnucash is the only package depending on g-wrap. G-wrap has been in the tree since 19 Jan 2007. fauli@gentoo.org 2007-03-08 10:56:01 0000 g-wrap: * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include this file in your report: * /var/tmp/portage/dev-libs/g-wrap-1.9.6-r3/temp/scanelf-execstack.log * RWX --- --- usr/lib/libffi.so.4.0.1 gnucash: grep: /usr/lib/libguile-ltdl.la: No such file or directory /bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive make[4]: *** [libgw-core-utils.la] Error 1 make[4]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5' make: *** [all] Error 2 !!! ERROR: app-office/gnucash-2.0.5 failed. Call stack: ebuild.sh, line 1614: Called dyn_compile ebuild.sh, line 971: Called qa_call 'src_compile' environment, line 3517: Called src_compile gnucash-2.0.5.ebuild, line 83: Called die [ebuild R ] dev-scheme/guile-1.8.1-r3 USE="deprecated discouraged elisp networking nls regex threads -debug -debug-freelist -debug-malloc" 0 kB [ebuild N ] app-office/gnucash-2.0.5 USE="chipcard doc hbci nls ofx quotes -debug" 0 kB mlangc@gmx.at 2007-03-11 21:04:07 0000 on x86 (and most likely any other arch): " # emerge -av =app-office/gnucash-2.0.5 These are the packages that would be merged, in order: Calculating dependencies \ !!! Multiple versions within a single package slot have been !!! pulled into the dependency graph: ('ebuild', '/', 'dev-scheme/guile-1.6.7', 'merge') pulled in by ('ebuild', '/', 'dev-scheme/slib-3.1.1', 'merge') ('ebuild', '/', 'dev-scheme/guile-1.8.1-r3', 'merge') pulled in by ('ebuild', '/', 'dev-libs/g-wrap-1.9.6-r3', 'merge') [...] " make sure that you don't have dev-scheme/guile installed when trying to reproduce. Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r5 i686) ================================================================= System uname: 2.6.19-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System release 1.12.9 Timestamp of tree: Sun, 11 Mar 2007 18:50:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon-xp -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.ynet.sk/pub " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi aiglx alsa audiofile avahi beagle berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus dlloader dri dvd dvdr dvdread eds emboss encode evo exif fam fbcon ffmpeg firefox flac fortran gdbm gif ginac gmp gnome gnutls gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ipod ipv6 isdnlog java javascript jpeg jpeg2k lcms ldap libg++ mad midi mikmod mime mmx mmxext mono mozsvg mp3 mpeg msn nautilus ncurses nfs nls nptl nptlonly nsplugin nvidia offensive ogg oggvorbis opengl pam pcre pdf perl plotutils png posix ppds pppd python qt3 qt4 quicktime readline real reflection ruby sdl session sockets spell spl sqlite3 sse ssl subtitles svg tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs wma x86 xine xml xorg xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS hkbst@gentoo.org 2007-03-13 19:08:46 0000 Created an attachment (id=113206) patch against 2.0.5 ebuild I was able to compile with the following changes to gnucash-2.0.5.ebuild: RDEPEND=">=dev-libs/glib-2.4.0 - >=dev-scheme/guile-1.8 - =dev-scheme/slib-3.1.1* + ~dev-scheme/guile-1.6.8 + =dev-scheme/slib-3.1.1-r1 >=sys-libs/zlib-1.1.4 >=dev-libs/popt-1.5 >=x11-libs/gtk+-2.4 @@ -54,9 +54,9 @@ pkg_setup() { built_with_use gnome-extra/libgsf gnome || die "gnome-extra/libgsf must be built with gnome" built_with_use x11-libs/goffice gnome || die "x11-libs/goffice must be built with gnome" - if ! built_with_use dev-scheme/guile regex deprecated discouraged; then - die "dev-scheme/guile must be built with USE=\"regex deprecated discouraged\"" - fi +# if ! built_with_use dev-scheme/guile regex deprecated discouraged; then +# die "dev-scheme/guile must be built with USE=\"regex deprecated discouraged\"" +# fi hkbst@gentoo.org 2007-03-13 19:10:32 0000 Created an attachment (id=113207) patched gnucash-2.0.5.ebuild I had to re-emerge g-wrap after downgrading guile to make gnucash not fail to compile. hkbst@gentoo.org 2007-03-14 10:26:32 0000 Also please don't check for discouraged flag when checking for deprecated flag already. It is implied. fauli@gentoo.org 2007-03-14 10:38:56 0000 Also adding gnome-office, as they are in metadata.xml, too With hkbst's changes it emerges and works. hkbst@gentoo.org 2007-03-14 11:28:43 0000 (In reply to comment #7) > gnucash: > > grep: /usr/lib/libguile-ltdl.la: No such file or directory > /bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory > libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive Since gnucash-2.0.5 is already in testing I take it not everybody is getting this. Is that correct? hkbst@gentoo.org 2007-03-20 18:40:42 0000 I've created bug 171603 for my compile issues. wolf31o2@gentoo.org 2007-03-22 22:07:01 0000 Sorry, but could I get a definitive list of what we should be doing here so we can move on this? Thanks dertobi123@gentoo.org 2007-03-25 08:10:45 0000 (In reply to comment #15) > Sorry, but could I get a definitive list of what we should be doing here so we > can move on this? +1 Also the ~ppc keyword (and alpha/ia64 ones ...) has been dropped in >=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for it? jaervosz@gentoo.org 2007-03-25 08:26:09 0000 Ok, according to my understanding we need ppc, x86 and sparc to mark stable (see Status Whiteboard). If that is not possible we'll go back to ebuild status and ask maintainers for input. Arches is it possible for you to mark stable? fauli@gentoo.org 2007-03-25 22:34:12 0000 (In reply to comment #17) > Arches is it possible for you to mark stable? Not as long as guile 1.8 is requested by gnucash 2.0.5, as it fails with that on my system (see comment #7, but not with 1.6*) and version 1.8 has more issues with several other programs. hkbst@gentoo.org 2007-03-26 10:01:34 0000 (In reply to comment #16) > Also the ~ppc keyword (and alpha/ia64 ones ...) has been dropped in > >=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for > it? they've been dropped pending g-wrap rekeywording. hkbst@gentoo.org 2007-03-26 10:02:58 0000 (In reply to comment #18) > on my system (see comment #7, but not with 1.6*) and version 1.8 has more > issues with several other programs. Christian, try re-emerging g-wrap. gustavoz@gentoo.org 2007-03-26 14:33:55 0000 So hummm, what do we have to do here? mlangc@gmx.at 2007-03-27 00:42:54 0000 on x86: after several interruptions due dependencies on particular USE flags and failed tests (see bug 163894, bug 164266) i was able to merge: app-office/gnucash-2.0.5 USE="nls -chipcard -debug -doc -hbci -ofx -quotes" with dev-libs/g-wrap-1.9.6-r3 dev-scheme/guile-1.8.1-r3 USE="deprecated discouraged nls regex threads -debug -debug-freelist -debug-malloc -elisp -networking" to be honest, i expected gnucash to immediately die with some sort of fatal error, and was quite a bit surprised as this didn't happen, but i was introduced to a rather big application, with a nice looking gui, that contained lot's of buttons and menus i've no clue about. as i have never worked with a similar application before, don't own a bank or do some fancy stock market stuff, i couldn't do more, then verify that i'm not able to crash the program with my unguided mouse clicks ;-) jaervosz@gentoo.org 2007-03-27 06:40:04 0000 Back to ebuild status to get an ebuild arches can mark stable. Seemant/gnome-office it is possible to backport the fix to our latest stable version? fauli@gentoo.org 2007-03-27 08:14:48 0000 So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my system with guile 1.8. hkbst, could guile 1.8 go stable instead of backporting the patch? hkbst@gentoo.org 2007-03-27 08:29:37 0000 (In reply to comment #24) > So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my > system with guile 1.8. hkbst, could guile 1.8 go stable instead of backporting > the patch? My statements in comment #6 are still valid. I think it would be better to make gnucash also accept guile-1.6.8 and stabilize that version. seemant@gentoo.org 2007-03-27 13:18:29 0000 done, but slib needs to go stable first now jaervosz@gentoo.org 2007-03-28 06:11:26 0000 Thx Seemant. Arches please test and mark stable. Target keywords are: dev-scheme/slib-3.1.1.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86" Or later revisions. gnucash-2.0.5.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86" I hope this covers everything. fauli@gentoo.org 2007-03-28 06:12:23 0000 !!! ERROR: app-office/gnucash-2.0.5 failed. Call stack: ebuild.sh, line 1630: Called dyn_setup ebuild.sh, line 702: Called qa_call 'pkg_setup' ebuild.sh, line 38: Called pkg_setup gnucash-2.0.5.ebuild, line 57: Called built_with_use '=dev-scheme/guile-1.8*' 'regex' 'deprecated' 'discouraged' eutils.eclass, line 1654: Called die !!! Unable to resolve =dev-scheme/guile-1.8* to an installed package !!! If you need support, post the topmost build error, and the call stack if relevant. !!! A complete build log is located at '/var/tmp/portage/app-office/gnucash-2.0.5/temp/build.log'. seemant, the USE flag check is b0rked now. If I have guile 1.6 the check will jaervosz@gentoo.org 2007-03-28 08:07:07 0000 Back to ebuild again it seems. Seemant please fix and readd arches. hkbst@gentoo.org 2007-03-28 11:10:23 0000 I've taken the liberty to fix the guile use flag checking and changed the slib dependency to a version that works with guile-1.6.8. fauli@gentoo.org 2007-03-28 13:34:39 0000 (In reply to comment #30) > I've taken the liberty to fix the guile use flag checking and changed the slib > dependency to a version that works with guile-1.6.8. Here we go again. jaervosz@gentoo.org 2007-03-28 13:36:51 0000 Great, then lets get arches rocking again. fauli@gentoo.org 2007-03-28 15:04:53 0000 x86 ends the endless odysee gustavoz@gentoo.org 2007-03-28 21:46:12 0000 sparc stable. dertobi123@gentoo.org 2007-03-31 10:50:47 0000 gnucash-2.0.5 ~ppc'd for now, i'll mark it stable in a few days or so. If we're in a hurry I'm also fine with marking it stable right now as gnucash is working as expected, just tell me what you want me to do :P (but as this is "only" B3 i expect we have some time left for some testing efforts ..) jaervosz@gentoo.org 2007-03-31 12:02:21 0000 Tobias a few days is ok since we still need amd64 and alpha. Just post again on this bug when you mark it stable. dertobi123@gentoo.org 2007-04-04 17:57:51 0000 (In reply to comment #36) > Tobias a few days is ok since we still need amd64 and alpha. Just post again on > this bug when you mark it stable. > ppc stable wolf31o2@gentoo.org 2007-04-04 19:33:37 0000 alpha/amd64 stable... can't get ia64 due to bug #162010 not being fixed just yet aetius@gentoo.org 2007-04-05 17:48:22 0000 Thanks everyone - security, please vote for GLSA. I vote no - it's a local issue, and I have a hard time seeing lots of people running gnucash on a shared machine (although situations like LTSP would exist). py@gentoo.org 2007-04-05 17:50:50 0000 voting no as well. dragonheart@gentoo.org 2007-04-06 02:06:55 0000 concur with no vote. aetius@gentoo.org 2007-04-06 11:28:00 0000 updating status. armin76@gentoo.org 2007-04-09 18:00:17 0000 ia64 doesn't want gnucash/g-wrap anymore. Feel free to remove the old version of gnucash/g-wrap. falco@gentoo.org 2007-04-09 18:51:19 0000 Vote no too and closing. Feel free to reopen if you disagree. 113206 2007-03-13 19:08 0000 patch against 2.0.5 ebuild patch text/plain LS0tIC9ob21lL21hcmlqbi9jdnMvZ2VudG9vLXg4Ni9hcHAtb2ZmaWNlL2dudWNhc2gvZ251Y2Fz aC0yLjAuNS5lYnVpbGQJMjAwNy0wMi0yNiAyMzowMzo1MC4wMDAwMDAwMDAgKzAxMDAKKysrIC4v Z251Y2FzaC0yLjAuNS5lYnVpbGQJMjAwNy0wMy0xMyAyMDowNDozOS4wMDAwMDAwMDAgKzAxMDAK QEAgLTE4LDggKzE4LDggQEAKIElVU0U9Im9meCBoYmNpIGNoaXBjYXJkIGRvYyBkZWJ1ZyBxdW90 ZXMgbmxzIgogCiBSREVQRU5EPSI+PWRldi1saWJzL2dsaWItMi40LjAKLQk+PWRldi1zY2hlbWUv Z3VpbGUtMS44Ci0JPWRldi1zY2hlbWUvc2xpYi0zLjEuMSoKKwl+ZGV2LXNjaGVtZS9ndWlsZS0x LjYuOAorCT1kZXYtc2NoZW1lL3NsaWItMy4xLjEtcjEKIAk+PXN5cy1saWJzL3psaWItMS4xLjQK IAk+PWRldi1saWJzL3BvcHQtMS41CiAJPj14MTEtbGlicy9ndGsrLTIuNApAQCAtNTQsOSArNTQs OSBAQAogcGtnX3NldHVwKCkgewogCWJ1aWx0X3dpdGhfdXNlIGdub21lLWV4dHJhL2xpYmdzZiBn bm9tZSB8fCBkaWUgImdub21lLWV4dHJhL2xpYmdzZiBtdXN0IGJlIGJ1aWx0IHdpdGggZ25vbWUi CiAJYnVpbHRfd2l0aF91c2UgeDExLWxpYnMvZ29mZmljZSBnbm9tZSB8fCBkaWUgIngxMS1saWJz L2dvZmZpY2UgbXVzdCBiZSBidWlsdCB3aXRoIGdub21lIgotCWlmICEgYnVpbHRfd2l0aF91c2Ug ZGV2LXNjaGVtZS9ndWlsZSByZWdleCBkZXByZWNhdGVkIGRpc2NvdXJhZ2VkOyB0aGVuCi0JCWRp ZSAiZGV2LXNjaGVtZS9ndWlsZSBtdXN0IGJlIGJ1aWx0IHdpdGggVVNFPVwicmVnZXggZGVwcmVj YXRlZCBkaXNjb3VyYWdlZFwiIgotCWZpCisjCWlmICEgYnVpbHRfd2l0aF91c2UgZGV2LXNjaGVt ZS9ndWlsZSByZWdleCBkZXByZWNhdGVkIGRpc2NvdXJhZ2VkOyB0aGVuCisjCQlkaWUgImRldi1z Y2hlbWUvZ3VpbGUgbXVzdCBiZSBidWlsdCB3aXRoIFVTRT1cInJlZ2V4IGRlcHJlY2F0ZWQgZGlz Y291cmFnZWRcIiIKKyMJZmkKIH0KIAogc3JjX2NvbXBpbGUoKSB7Cg== 113207 2007-03-13 19:10 0000 patched gnucash-2.0.5.ebuild gnucash-2.0.5.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA3IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2FwcC1vZmZpY2UvZ251Y2FzaC9nbnVjYXNoLTIu MC41LmVidWlsZCx2IDEuNCAyMDA3LzAyLzI2IDIyOjAzOjUwIGRhbmcgRXhwICQKCmluaGVyaXQg ZXV0aWxzIGdub21lMgoKRE9DX1ZFUj0iMi4wLjEiCgpERVNDUklQVElPTj0iQSBwZXJzb25hbCBm aW5hbmNlIG1hbmFnZXIuIgpIT01FUEFHRT0iaHR0cDovL3d3dy5nbnVjYXNoLm9yZy8iClNSQ19V Ukk9Im1pcnJvcjovL3NvdXJjZWZvcmdlLyR7UE59LyR7UH0udGFyLmJ6MgoJbWlycm9yOi8vc291 cmNlZm9yZ2UvJHtQTn0vJHtQTn0tZG9jcy0ke0RPQ19WRVJ9LnRhci5iejIiCgpTTE9UPSIwIgpM SUNFTlNFPSJHUEwtMiIKS0VZV09SRFM9In5hbWQ2NCB+c3BhcmMgfng4NiIKCklVU0U9Im9meCBo YmNpIGNoaXBjYXJkIGRvYyBkZWJ1ZyBxdW90ZXMgbmxzIgoKUkRFUEVORD0iPj1kZXYtbGlicy9n bGliLTIuNC4wCgl+ZGV2LXNjaGVtZS9ndWlsZS0xLjYuOAoJPWRldi1zY2hlbWUvc2xpYi0zLjEu MS1yMQoJPj1zeXMtbGlicy96bGliLTEuMS40Cgk+PWRldi1saWJzL3BvcHQtMS41Cgk+PXgxMS1s aWJzL2d0aystMi40Cgk+PWdub21lLWJhc2UvbGliZ25vbWV1aS0yLjQKCT49Z25vbWUtYmFzZS9s aWJnbm9tZXByaW50LTIuMTAKCT49Z25vbWUtYmFzZS9saWJnbm9tZXByaW50dWktMi4xMAoJPj1n bm9tZS1iYXNlL2xpYmdsYWRlLTIuNAoJPj1nbm9tZS1leHRyYS9ndGtodG1sLTMuMTAuMQoJPj1k ZXYtbGlicy9saWJ4bWwyLTIuNS4xMAoJPWRldi1saWJzL2ctd3JhcC0xLjkuNioKCT49Z25vbWUt YmFzZS9nY29uZi0yCgk+PWFwcC10ZXh0L3Njcm9sbGtlZXBlci0wLjMKCT49eDExLWxpYnMvZ29m ZmljZS0wLjAuNAoJZ25vbWUtZXh0cmEveWVscAoJb2Z4PyAoID49ZGV2LWxpYnMvbGlib2Z4LTAu Ny4wICkKCWhiY2k/ICggbmV0LWxpYnMvYXFiYW5raW5nCgkJY2hpcGNhcmQ/ICggc3lzLWxpYnMv bGliY2hpcGNhcmQgKQoJKQoJcXVvdGVzPyAoIGRldi1wZXJsL0RhdGVNYW5pcAoJCT49ZGV2LXBl cmwvRmluYW5jZS1RdW90ZS0xLjExCgkJZGV2LXBlcmwvSFRNTC1UYWJsZUV4dHJhY3QgKQoJYXBw LXRleHQvZG9jYm9vay14c2wtc3R5bGVzaGVldHMKCT1hcHAtdGV4dC9kb2Nib29rLXhtbC1kdGQt NC4xLjIqCglubHM/ICggZGV2LXV0aWwvaW50bHRvb2wgKSIKCkRFUEVORD0iJHtSREVQRU5EfQoJ ZG9jPyAoIGFwcC1kb2MvZG94eWdlbgoJCW1lZGlhLWdmeC9ncmFwaHZpegoJCXZpcnR1YWwvdGV0 ZXggKQoJZGV2LXV0aWwvcGtnY29uZmlnIgoKcGtnX3NldHVwKCkgewoJYnVpbHRfd2l0aF91c2Ug Z25vbWUtZXh0cmEvbGliZ3NmIGdub21lIHx8IGRpZSAiZ25vbWUtZXh0cmEvbGliZ3NmIG11c3Qg YmUgYnVpbHQgd2l0aCBnbm9tZSIKCWJ1aWx0X3dpdGhfdXNlIHgxMS1saWJzL2dvZmZpY2UgZ25v bWUgfHwgZGllICJ4MTEtbGlicy9nb2ZmaWNlIG11c3QgYmUgYnVpbHQgd2l0aCBnbm9tZSIKIwlp ZiAhIGJ1aWx0X3dpdGhfdXNlIGRldi1zY2hlbWUvZ3VpbGUgcmVnZXggZGVwcmVjYXRlZCBkaXNj b3VyYWdlZDsgdGhlbgojCQlkaWUgImRldi1zY2hlbWUvZ3VpbGUgbXVzdCBiZSBidWlsdCB3aXRo IFVTRT1cInJlZ2V4IGRlcHJlY2F0ZWQgZGlzY291cmFnZWRcIiIKIwlmaQp9CgpzcmNfY29tcGls ZSgpIHsKCglsb2NhbCBteWNvbmYKCglpZiB1c2UgZG9jIDsgdGhlbgoJCW15Y29uZj0iJHtteWNv bmZ9IC0tZW5hYmxlLWxhdGV4LWRvY3MiCglmaQoKCgllY29uZiBcCgkJJCh1c2VfZW5hYmxlIGRl YnVnKSBcCgkJJCh1c2VfZW5hYmxlIG9meCkgXAoJCSQodXNlX2VuYWJsZSBkb2MgZG94eWdlbikg XAoJCSQodXNlX2VuYWJsZSBkb2MgaHRtbC1kb2NzKSBcCgkJJCh1c2VfZW5hYmxlIGRvYyBkb3Qp IFwKCQkkKHVzZV9lbmFibGUgaGJjaSkgXAoJCSQodXNlX2VuYWJsZSBoYmNpIG10OTQwKSBcCgkJ LS1lbmFibGUtbG9jYWxlLXNwZWNpZmljLXRheCBcCgkJJHtteWNvbmZ9IHx8IGRpZSAiZWNvbmYg ZmFpbGVkIgoKCU1BS0VPUFRTPSItajEiCgllbWFrZSB8fCBkaWUgImVtYWtlIGZhaWxlZCIKCglj ZCAiJHtXT1JLRElSfS9nbnVjYXNoLWRvY3MtJHtET0NfVkVSfSIKCWVjb25mIHx8IGRpZSAiZG9j IGVjb25mIGZhaWxlZCIKCWVtYWtlIHx8IGRpZSAiZG9jIGVtYWtlIGZhaWxlZCIKfQoKc3JjX3Rl c3QoKSB7CgllaW5mbyAiU2tpcHBpbmcgdGVzdHMgYmVjYXVzZSBvbmUgb2YgdGhlIHVwc3RyZWFt IHRlc3RzIGlzIGJyb2tlbiIKCWVpbmZvICJQbGVhc2UgcmVmZXJlbmNlOiBodHRwczovL2J1Z3Mu Z2VudG9vLm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTQ2NzY5I2MxIgoJZWluZm8gIldlIGhhdmUgYSBm aWxlZCBhIGJ1ZyB1cHN0cmVhbS4JV2hlbiB0aGF0IGlzIHJlc29sdmVkLCIKCWVpbmZvICJXZSB3 aWxsIHJlLWVuYWJsZSB0aGUgdGVzdHMuIgp9CgojIFNlZSBodHRwOi8vYnVncy5nZW50b28ub3Jn L3Nob3dfYnVnLmNnaT9pZD0xMzI4NjIgcmVnYXJkaW5nIGdjb25mIHNjaGVtYSBpbnN0YWxsCgpz cmNfaW5zdGFsbCgpIHsKCWdub21lMl9zcmNfaW5zdGFsbCB8fCBkaWUgImdub21lMl9zcmNfaW5z dGFsbCBmYWlsZWQiCglkb2RvYyBBVVRIT1JTIENoYW5nZUxvZyogRE9DVU1FTlRFUlMgSEFDS0lO RyBJTlNUQUxMIE5FV1MgVE9ETyBSRUFETUUqIGRvYy9SRUFETUUqCgltYWtlX2Rlc2t0b3BfZW50 cnkgJHtQfSAiR251Q2FzaCAke1BWfSIgZ251Y2FzaC1pY29uLnBuZyAiR05PTUU7T2ZmaWNlO0Zp bmFuY2UiCgoJY2QgIiR7V09SS0RJUn0vJHtQTn0tZG9jcy0ke0RPQ19WRVJ9IgoJbWFrZSBERVNU RElSPSIke0R9IiBcCgkJc2Nyb2xsa2VlcGVyX2xvY2Fsc3RhdGVfZGlyPSIke0R9L3Zhci9saWIv c2Nyb2xsa2VlcGVyIiBcCgkJaW5zdGFsbCB8fCBkaWUgImRvYyBpbnN0YWxsIGZhaWxlZCIKCXJt IC1yZiAiJHtEfS92YXIvbGliL3Njcm9sbGtlZXBlciIKfQoKcGtnX3Bvc3RpbnN0KCkgewoJZWxv ZyAiUGxlYXNlIG5vdGUgdGhhdCBwb3N0Z3Jlc3FsIHN1cHBvcnQgaGFzIGJlZW4gcmVtb3ZlZC4i CgllbG9nICJQbGVhc2Ugc2VlOiBodHRwczovL2J1Z3MuZ2VudG9vLm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MTQ2NzY5I2M5IgoJZWxvZyAiZm9yIGFuIGV4cGxhbmF0aW9uLiIKfQo=