232831 CVE-2008-3651 2008-07-24 11:21 0000 net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652) 2008-12-02 17:50:42 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://marc.info/?l=ipsec-tools-devel&m=121688914101709&w=2 B3 [glsa] P2 normal --- 213695 1 natanael.copa@gmail.com security@gentoo.org craig@gentoo.org crypto@gentoo.org maintainer-needed@gentoo.org netmon@gentoo.org ole+gentoo@ans.pl wschlich@gentoo.org natanael.copa@gmail.com 2008-07-24 11:21:44 0000 From ipsec-tools mailing list Ipsec-tools 0.7.1 is out, with some fixes and features, which includes a fix for memory leak when receiving invalid proposals. As this leak may lead to a DoS (it will take time.... but it can be done in some configurations), everybody is advised to update to this version ASAP. Archives are available here ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-0.7.1.tar.bz2 (please have a look at http://www.netbsd.org/mirrors/#ftp). and soon here: http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.7.1.tar.bz2 darkside@gentoo.org 2008-07-24 12:40:43 0000 Maintainer-needed package. py@gentoo.org 2008-07-24 13:02:38 0000 (In reply to comment #1) > Maintainer-needed package. > so it should be assigned to maintainer-needed, not security :) py@gentoo.org 2008-07-24 13:04:24 0000 (In reply to comment #2) > (In reply to comment #1) > > Maintainer-needed package. > > > so it should be assigned to maintainer-needed, not security :) > err, didn't catch the DoS issue. sorry for the bugspam. thoger@redhat.com 2008-07-25 12:39:14 0000 This seems to be an upstream patch: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h natanael.copa@gmail.com 2008-07-25 13:59:00 0000 (In reply to comment #4) > This seems to be an upstream patch: > http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h > well... as i understand, the fix is included in 0.7.1. version bump should be enough. rbu@gentoo.org 2008-08-15 13:34:06 0000 CVE-2008-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3651): Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before 0.7.1 allows remote authenticated users to cause a denial of service (memory consumption) via invalid proposals. rbu@gentoo.org 2008-08-15 13:38:05 0000 hardened, netmon: Would you be willing to maintain this package? rbu@gentoo.org 2008-08-15 13:39:18 0000 CVE-2008-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3652): src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption). craig@gentoo.org 2008-09-05 13:02:59 0000 A fix would be cool. Isn't security@gentoo.org in charge when there is no maintainer?! Well, you usually firewall your IKE-Ports for Point-to-Point VPN but when you've got some roadwarriors, you can't do that. :( solar@gentoo.org 2008-09-05 14:57:33 0000 (In reply to comment #7) > hardened, netmon: Would you be willing to maintain this package? Hardened will have to decline at this point in time. Perhaps crypto@gentoo.. hoffie@gentoo.org 2008-09-06 15:36:58 0000 So, hardened declined, crypto was proposed, changing CC accordingly. craig@gentoo.org 2008-09-08 19:21:46 0000 The attached ebuild is much more cleaner and also fixes that only selinux needs --enable-security-context (stolen from #213695). :) craig@gentoo.org 2008-09-08 19:22:59 0000 Created an attachment (id=164950) ipsec-tools-0.7.1.ebuild (with selinux fix) dragonheart@gentoo.org 2008-09-09 21:27:01 0000 (In reply to comment #13) > Created an attachment (id=164950) [edit] > ipsec-tools-0.7.1.ebuild (with selinux fix) > Thanks Craig for the inclusion of selinux and the cleanup. I've added it after making a few USE flags enabled by default. Please tell me if there is a major impact here. Of note this actually failed a self test that I've run out of time to diagnose. f346bb67 7075a9b5 27cf458f 7d302e68 6aa5c5b4 832f903b 5ea73298 0143abd2 fbf5d927 d845aae9 13788714 989c5784 9b914c71 72f745e6 8b039819 3085bf4d ca3e46ee 00b36bcc 85fc210e bbde5da7 a05519fe 7f56ffec afebd3c5 ae2069e7 ERROR: sharing gxy mismatched. !!!!! Test 'dh' failed. !!!!! FAIL: eaytest =================== 1 of 1 tests failed =================== Users: please test and note weither it works and wheither it should be marked stable on this bug report. pva@gentoo.org 2008-09-10 07:55:57 0000 Daniel this test failure is not new, see bug 196517. So if you have setup to test this package, please, bump it. BTW there some other bugs ipsec-tools and some of them either should be marked fixed with this version bump or have patch applied. rbu@gentoo.org 2008-09-14 11:30:13 0000 Daniel, are you going to have a look at the remaining bugs, or should we go ahead stabling this version? dragonheart@gentoo.org 2008-10-08 11:40:46 0000 (In reply to comment #16) > Daniel, are you going to have a look at the remaining bugs, or should we go > ahead stabling this version? > only 223319 seems still revelant. rest are upstream or are included. as i've lost cvs access in my few weeks off moving house if someone could commit the patch from 223319 and go stable from there that would be good. rbu@gentoo.org 2008-10-08 12:19:58 0000 > commit the patch from 223319 and go stable from there that would be good. done, thanks for investigating rbu@gentoo.org 2008-10-08 12:22:14 0000 Arches, please test and mark stable: =net-firewall/ipsec-tools-0.7.1 Target keywords : "amd64 ppc sparc x86" craig@gentoo.org 2008-10-08 16:52:06 0000 Daniel, it's a shame you lost cvs. The updated racoon runs stable since 14hrs for me. maekke@gentoo.org 2008-10-08 19:10:01 0000 amd64/x86 stable bluebird@gentoo.org 2008-10-11 13:07:14 0000 sparc stable dertobi123@gentoo.org 2008-10-16 18:15:24 0000 ppc stable keytoaster@gentoo.org 2008-10-16 18:52:50 0000 Ready for vote, I vote YES. rbu@gentoo.org 2008-11-26 18:44:58 0000 YES, filed rbu@gentoo.org 2008-12-02 17:50:42 0000 GLSA 200812-03 164950 2008-09-08 19:22 0000 ipsec-tools-0.7.1.ebuild (with selinux fix) ipsec-tools-0.7.1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA4IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC1maXJld2FsbC9pcHNlYy10b29scy9pcHNl Yy10b29scy0wLjYuNy5lYnVpbGQsdiAxLjEzIDIwMDgvMDYvMDYgMjM6NTM6MzEgc3dlZ2VuZXIg RXhwICQKCmluaGVyaXQgZXV0aWxzIGZsYWctby1tYXRpYyBhdXRvdG9vbHMgbGludXgtaW5mbwoK REVTQ1JJUFRJT049IkEgcG9ydCBvZiBLQU1FJ3MgSVBzZWMgdXRpbGl0aWVzIHRvIHRoZSBMaW51 eC0yLjYgSVBzZWMgaW1wbGVtZW50YXRpb24iCkhPTUVQQUdFPSJodHRwOi8vaXBzZWMtdG9vbHMu c291cmNlZm9yZ2UubmV0LyIKU1JDX1VSST0ibWlycm9yOi8vc291cmNlZm9yZ2UvJHtQTn0vJHtQ fS50YXIuYnoyIgoKTElDRU5TRT0iQlNEIgpTTE9UPSIwIgpLRVlXT1JEUz0iYW1kNjQgcHBjIHNw YXJjIHg4NiIKSVVTRT0iaWRlYSBpcHY2IHBhbSByYzUgcmVhZGxpbmUgc2VsaW51eCBsZGFwIGtl cmJlcm9zIG5hdCBoeWJyaWQgaWNvbnYgYWRtaW5wb3J0IHNlbGludXggc3RhdHMiCgojIEZJWE1F OiB3aGF0IGlzIHRoZSBjb3JyZWN0IHN5bnRheCBmb3IgfnNwYXJjID8/PwpERVBFTkQ9IiFzcGFy Yz8gKCA+PXN5cy1rZXJuZWwvbGludXgtaGVhZGVycy0yLjYgKQoJcmVhZGxpbmU/ICggc3lzLWxp YnMvcmVhZGxpbmUgKQoJcGFtPyAoIHN5cy1saWJzL3BhbSApCglsZGFwPyAoIG5ldC1uZHMvb3Bl bmxkYXAgKQoJa2VyYmVyb3M/ICggdmlydHVhbC9rcmI1ICkKCT49ZGV2LWxpYnMvb3BlbnNzbC0w LjkuOAoJaWNvbnY/ICggdmlydHVhbC9saWJpY29udiApIgojCXJhZGl1cz8gKCBuZXQtZGlhbHVw L2dudXJhZGl1cyApCgpSREVQRU5EPSIke0RFUEVORH0KCXNlbGludXg/ICggc2VjLXBvbGljeS9z ZWxpbnV4LWlwc2VjLXRvb2xzICkiCgojIHt7eyBrZXJuZWxfY2hlY2soKQprZXJuZWxfY2hlY2so KSB7CglnZXRfdmVyc2lvbgoJaWYga2VybmVsX2lzIDIgNiA7IHRoZW4KCQlpZiB0ZXN0ICIke0tW X1BBVENIfSIgLWdlIDE5IDsgdGhlbgoJCSMgSnVzdCBmb3Iga2VybmVsID49Mi42LjE5CgkJCWVi ZWdpbiAiQ2hlY2tpbmcgZm9yIHN1aXRhYmxlIGtlcm5lbCBjb25maWd1cmF0aW9uIChOZXR3b3Jr aW5nIHwgTmV0d29ya2luZyBzdXBwb3J0IHwgTmV0d29ya2luZyBvcHRpb25zKSIKCgkJCWlmIHVz ZSBuYXQgOyB0aGVuCgkJCQlpZiAhIHsgbGludXhfY2hrY29uZmlnX3ByZXNlbnQgTkVURklMVEVS X1hUX01BVENIX1BPTElDWTsgfSA7IHRoZW4KCQkJCQlld2FybiAiW05FVEZJTFRFUl9YVF9NQVRD SF9QT0xJQ1ldIElQc2VjIHBvbGljeSBtYXRjaCBzdXBwb3J0IGlzIE5PVCBlbmFibGVkIgoJCQkJ CWVlcnJvciAiJHtQfSB3b24ndCBjb21waWxlIHdpdGggdXNlIG5hdCB0cmF2ZXJzYWwgKFVTRT1u YXQpIHVudGlsIHlvdSBlbmFibGUgTkVURklMVEVSX1hUX01BVENIX1BPTElDWSBpbiB5b3VyIGtl cm5lbCIKCQkJCQlkaWUKCQkJCWVsc2UKCQkJCQllaW5mbyAiLi4uLltORVRGSUxURVJfWFRfTUFU Q0hfUE9MSUNZXSBJUHNlYyBwb2xpY3kgbWF0Y2ggc3VwcG9ydCBpcyBlbmFibGVkIDotKSIKCQkJ CWZpCgkJCWZpCgkJCSMge3t7IGdlbmVyYWwgc3R1ZmYKCQkJaWYgISB7IGxpbnV4X2Noa2NvbmZp Z19wcmVzZW50IFhGUk1fVVNFUjsgfTsgdGhlbgoJCQkJZXdhcm4gIltYRlJNX1VTRVJdIFRyYW5z Zm9ybWF0aW9uIHVzZXIgY29uZmlndXJhdGlvbiBpbnRlcmZhY2UgaXMgTk9UIGVuYWJsZWQuIgoJ CQllbHNlCgkJCQllaW5mbyAiLi4uLltYRlJNX1VTRVJdIFRyYW5zZm9ybWF0aW9uIHVzZXIgY29u ZmlndXJhdGlvbiBpbnRlcmZhY2UgaXMgZW5hYmxlZCA6LSkiCgkJCWZpCgoJCQlpZiAhIHsgbGlu dXhfY2hrY29uZmlnX3ByZXNlbnQgTkVUX0tFWTsgfTsgdGhlbgoJCQkJZXdhcm4gIltORVRfS0VZ XSBQRl9LRVkgc29ja2V0cyBpcyBOT1QgZW5hYmxlZC4iCgkJCWVsc2UKCQkJCWVpbmZvICIuLi4u W05FVF9LRVldIFBGX0tFWSBzb2NrZXRzIGlzIGVuYWJsZWQgOi0pIgoJCQlmaQoJCQkjIH19fQoJ CQkjIHt7eyBJUHY0IHN0dWZmCgkJCWlmICEgeyBsaW51eF9jaGtjb25maWdfcHJlc2VudCBJTkVU X0lQQ09NUDsgfTsgdGhlbgoJCQkJZXdhcm4gIltJTkVUX0lQQ09NUF0gSVA6IElQQ29tcCB0cmFu c2Zvcm1hdGlvbiBpcyBOT1QgZW5hYmxlZCIKCQkJZWxzZQoJCQkJZWluZm8gIi4uLi5bSU5FVF9J UENPTVBdIElQOiBJUENvbXAgdHJhbnNmb3JtYXRpb24gaXMgZW5hYmxlZCA6LSkiCgkJCWZpCgoJ CQlpZiAhIHsgbGludXhfY2hrY29uZmlnX3ByZXNlbnQgSU5FVF9BSDsgfTsgdGhlbgoJCQkJZXdh cm4gIltJTkVUX0FIXSBBSCBUcmFuc2Zvcm1hdGlvbiBpcyBOT1QgZW5hYmxlZC4iCgkJCWVsc2UK CQkJCWVpbmZvICIuLi4uW0lORVRfQUhdIEFIIFRyYW5zZm9ybWF0aW9uIGlzIGVuYWJsZWQgOi0p IgoJCQlmaQoKCQkJaWYgISB7IGxpbnV4X2Noa2NvbmZpZ19wcmVzZW50IElORVRfRVNQOyB9OyB0 aGVuCgkJCQlld2FybiAiW0lORVRfRVNQXSBFU1AgVHJhbnNmb3JtYXRpb24gaXMgTk9UIGVuYWJs ZWQuIgoJCQllbHNlCgkJCQllaW5mbyAiLi4uLltJTkVUX0VTUF0gRVNQIFRyYW5zZm9ybWF0aW9u IGlzIGVuYWJsZWQgOi0pIgoJCQlmaQoKCQkJaWYgISB7IGxpbnV4X2Noa2NvbmZpZ19wcmVzZW50 IElORVRfWEZSTV9NT0RFX1RSQU5TUE9SVDsgfTsgdGhlbgoJCQkJZXdhcm4gIltJTkVUX1hGUk1f TU9ERV9UUkFOU1BPUlRdIElQOiBJUHNlYyB0cmFuc3BvcnQgbW9kZSBpcyBOT1QgZW5hYmxlZC4i CgkJCWVsc2UKCQkJCWVpbmZvICIuLi4uW0lORVRfWEZSTV9NT0RFX1RSQU5TUE9SVF0gSVA6IElQ c2VjIHRyYW5zcG9ydCBtb2RlIGlzIGVuYWJsZWQgOi0pIgoJCQlmaQoKCQkJaWYgISB7IGxpbnV4 X2Noa2NvbmZpZ19wcmVzZW50IElORVRfWEZSTV9NT0RFX1RVTk5FTDsgfTsgdGhlbgoJCQkJZXdh cm4gIltJTkVUX1hGUk1fTU9ERV9UVU5ORUxdIElQOiBJUHNlYyB0dW5uZWwgbW9kZSBpcyBOT1Qg ZW5hYmxlZC4iCgkJCWVsc2UKCQkJCWVpbmZvICIuLi4uW0lORVRfWEZSTV9NT0RFX1RVTk5FTF0g SVA6IElQc2VjIHR1bm5lbCBtb2RlIGlzIGVuYWJsZWQgOi0pIgoJCQlmaQoKCQkJaWYgISB7IGxp bnV4X2Noa2NvbmZpZ19wcmVzZW50IElORVRfWEZSTV9NT0RFX0JFRVQ7IH07IHRoZW4KCQkJCWV3 YXJuICJbSU5FVF9YRlJNX01PREVfQkVFVF0gSVA6IElQc2VjIEJFRVQgbW9kZSBpcyBOT1QgZW5h YmxlZC4iCgkJCWVsc2UKCQkJCWVpbmZvICIuLi4uW0lORVRfWEZSTV9NT0RFX0JFRVRdIElQOiBJ UHNlYyBCRUVUIG1vZGUgaXMgZW5hYmxlZCA6LSkiCgkJCWZpCgkJCSMgfX19CgkJCSMge3t7IElQ djYgc3R1ZmYKCQkJaWYgdXNlIGlwdjYgOyB0aGVuCgkJCQlpZiAhIHsgbGludXhfY2hrY29uZmln X3ByZXNlbnQgSU5FVDZfSVBDT01QOyB9OyB0aGVuCgkJCQkJZXdhcm4gIltJTkVUNl9JUENPTVBd IElQdjY6IElQQ29tcCB0cmFuc2Zvcm1hdGlvbiBpcyBOT1QgZW5hYmxlZCIKCQkJCWVsc2UKCQkJ CQllaW5mbyAiLi4uLltJTkVUNl9JUENPTVBdIElQdjY6IElQQ29tcCB0cmFuc2Zvcm1hdGlvbiBp cyBlbmFibGVkIDotKSIKCQkJCWZpCgoJCQkJaWYgISB7IGxpbnV4X2Noa2NvbmZpZ19wcmVzZW50 IElORVQ2X0FIOyB9OyB0aGVuCgkJCQkJZXdhcm4gIltJTkVUNl9BSF0gSVB2NjogQUggVHJhbnNm b3JtYXRpb24gaXMgTk9UIGVuYWJsZWQuIgoJCQkJZWxzZQoJCQkJCWVpbmZvICIuLi4uW0lORVQ2 X0FIXSBJUHY2OiBBSCBUcmFuc2Zvcm1hdGlvbiBpcyBlbmFibGVkIDotKSIKCQkJCWZpCgoJCQkJ aWYgISB7IGxpbnV4X2Noa2NvbmZpZ19wcmVzZW50IElORVQ2X0VTUDsgfTsgdGhlbgoJCQkJCWV3 YXJuICJbSU5FVDZfRVNQXSBJUHY2OiBFU1AgVHJhbnNmb3JtYXRpb24gaXMgTk9UIGVuYWJsZWQu IgoJCQkJZWxzZQoJCQkJCWVpbmZvICIuLi4uW0lORVQ2X0VTUF0gSVB2NjogRVNQIFRyYW5zZm9y bWF0aW9uIGlzIGVuYWJsZWQgOi0pIgoJCQkJZmkKCgkJCQlpZiAhIHsgbGludXhfY2hrY29uZmln X3ByZXNlbnQgSU5FVDZfWEZSTV9NT0RFX1RSQU5TUE9SVDsgfTsgdGhlbgoJCQkJCWV3YXJuICJb SU5FVDZfWEZSTV9NT0RFX1RSQU5TUE9SVF0gSVB2NjogSVBzZWMgdHJhbnNwb3J0IG1vZGUgaXMg Tk9UIGVuYWJsZWQuIgoJCQkJZWxzZQoJCQkJCWVpbmZvICIuLi4uW0lORVQ2X1hGUk1fTU9ERV9U UkFOU1BPUlRdIElQdjY6IElQc2VjIHRyYW5zcG9ydCBtb2RlIGlzIGVuYWJsZWQgOi0pIgoJCQkJ ZmkKCgkJCQlpZiAhIHsgbGludXhfY2hrY29uZmlnX3ByZXNlbnQgSU5FVDZfWEZSTV9NT0RFX1RV Tk5FTDsgfTsgdGhlbgoJCQkJCWV3YXJuICJbSU5FVDZfWEZSTV9NT0RFX1RVTk5FTF0gSVB2Njog SVBzZWMgdHVubmVsIG1vZGUgaXMgTk9UIGVuYWJsZWQuIgoJCQkJZWxzZQoJCQkJCWVpbmZvICIu Li4uW0lORVQ2X1hGUk1fTU9ERV9UVU5ORUxdIElQdjY6IElQc2VjIHR1bm5lbCBtb2RlIGlzIGVu YWJsZWQgOi0pIgoJCQkJZmkKCgkJCQlpZiAhIHsgbGludXhfY2hrY29uZmlnX3ByZXNlbnQgSU5F VDZfWEZSTV9NT0RFX0JFRVQ7IH07IHRoZW4KCQkJCQlld2FybiAiW0lORVQ2X1hGUk1fTU9ERV9C RUVUXSBJUHY2OiBJUHNlYyBCRUVUIG1vZGUgaXMgTk9UIGVuYWJsZWQuIgoJCQkJZWxzZQoJCQkJ CWVpbmZvICIuLi4uW0lORVQ2X1hGUk1fTU9ERV9CRUVUXSBJUHY2OiBJUHNlYyBCRUVUIG1vZGUg aXMgZW5hYmxlZCA6LSkiCgkJCQlmaQoJCQlmaQoJCQkjIH19fQoKCQkJZWVuZCAkPwoJCWZpCglm aQp9CiMgfX19CgpzcmNfdW5wYWNrKCkgewoJdW5wYWNrICR7QX0KCWNkICIke1N9IgoJIyBmaXgg Zm9yIGJ1ZyAjNzY3NDEKCXNlZCAtaSAnczojaW5jbHVkZSA8c3lzL3N5c2N0bC5oPjo6JyBzcmMv cmFjb29uL3Bma2V5LmMgc3JjL3NldGtleS9zZXRrZXkuYwoJIyBmaXggZm9yIGJ1ZyAjMTI0ODEz CglzZWQgLWkgJ3M6LVdlcnJvcjo6ZycgIiR7U30iL2NvbmZpZ3VyZS5hYwoKCUFUX000RElSPSIk e1N9IiBlYXV0b3JlY29uZgoJZXB1bnRfY3h4Cn0KCnNyY19jb21waWxlKCkgewoJIyBmaXggZm9y IGJ1ZyAjNjEwMjUKCWZpbHRlci1mbGFncyAtbWFyY2g9YzMKCglrZXJuZWxfY2hlY2sKCglteWNv bmY9Ii0td2l0aC1rZXJuZWwtaGVhZGVycz0ke0tWX0RJUn0vaW5jbHVkZSBcCgkJCS0tZW5hYmxl LWRlcGVuZGVuY3ktdHJhY2tpbmcgXAoJCQktLWVuYWJsZS1kcGQgXAoJCQktLWVuYWJsZS1mcmFn IFwKCQkJLS1lbmFibGUtc3RhdHMgXAoJCQktLWVuYWJsZS1mYXN0cXVpdCBcCgkJCSQodXNlX2Vu YWJsZSBpcHY2KSBcCgkJCSQodXNlX2VuYWJsZSByYzUpIFwKCQkJJCh1c2VfZW5hYmxlIHN0YXRz KSBcCgkJCSQodXNlX2VuYWJsZSBhZG1pbnBvcnQpIFwKCQkJJCh1c2VfZW5hYmxlIGlkZWEpIFwK CQkJJCh1c2Vfd2l0aCByZWFkbGluZSkKCQkJJCh1c2VfZW5hYmxlIGtlcmJlcm9zIGdzc2FwaSkg XAoJCQkkKHVzZV93aXRoIGxkYXAgbGlibGRhcCkgXAoJCQkkKHVzZV93aXRoIHBhbSBsaWJwYW0p IgoKIwl3ZSBkbyBub3Qgd2FudCBicm9rZW4tbmF0dCBmcm9tIHRoZSBrZXJuZWwKIwlteWNvbmY9 IiR7bXljb25mfSAkKHVzZV9lbmFibGUgYnJva2VuLW5hdHQpIgoJdXNlIG5hdCAmJiBteWNvbmY9 IiR7bXljb25mfSAtLWVuYWJsZS1uYXR0IC0tZW5hYmxlLW5hdHQtdmVyc2lvbnM9eWVzIgoKCSMg d2Ugb25seSBuZWVkIHNlY3VyaXR5LWNvbnRleHQgd2hlbiB1c2luZyBzZWxpbnV4CglteWNvbmY9 IiR7bXljb25mfSAkKHVzZV9lbmFibGUgc2VsaW51eCBzZWN1cml0eS1jb250ZXh0KSIKCgkjIGVu YWJsZSBtb2RlLWNmZyBhbmQgeGF1dGggc3VwcG9ydAoJaWYgdXNlIHBhbTsgdGhlbgoJCW15Y29u Zj0iJHtteWNvbmZ9IC0tZW5hYmxlLWh5YnJpZCIKCWVsc2UKCQlteWNvbmY9IiR7bXljb25mfSAk KHVzZV9lbmFibGUgaHlicmlkKSIKCWZpCgoJIyBkZXYtbGlicy9saWJpY29udiBpcyBoYXJkIG1h c2tlZAoJI3VzZSBpY29udiAmJiBteWNvbmY9IiR7bXljb25mfSAkKHVzZV93aXRoIGljb252IGxp Ymljb252KSIKCgkjIHRoZSBkZWZhdWx0ICgvdXNyL2luY2x1ZGUvb3BlbnNzbC8pIGlzIE9LIGZv ciBHZW50b28sIGxlYXZlIGl0CgkjIG15Y29uZj0iJHtteWNvbmZ9ICQodXNlX3dpdGggc3NsIG9w ZW5zc2wgKSIKCgkjIE5vIHdheSB0byBnZXQgaXQgY29tcGlsaW5nIHdpdGggZnJlZXJhZGl1cyBv ciBnbnVyYWRpdXMKCSMgV2Ugd291bGQgbmVlZCBsaWJyYWRpdXMgd2hpY2ggb25seSBleGlzdHMg b24gRnJlZUJTRAoKCSMgU2VlIGJ1ZyAjNzczNjkKCSNteWNvbmY9IiR7bXljb25mfSAtLWVuYWJs ZS1zYW1vZGUtdW5zcGVjIgoKCWVjb25mICR7bXljb25mfSB8fCBkaWUKCWVtYWtlIC1qMSB8fCBk aWUKfQoKc3JjX2luc3RhbGwoKSB7CgllbWFrZSBERVNURElSPSIke0R9IiBpbnN0YWxsIHx8IGRp ZQoJa2VlcGRpciAvdmFyL2xpYi9yYWNvb24KCW5ld2NvbmZkICIke0ZJTEVTRElSfSIvcmFjb29u LmNvbmYuZCByYWNvb24KCW5ld2luaXRkICIke0ZJTEVTRElSfSIvcmFjb29uLmluaXQuZCByYWNv b24KCglkb2RvYyBDaGFuZ2VMb2cgUkVBRE1FIE5FV1MKCWRvZG9jIHNyYy9yYWNvb24vc2FtcGxl cy8qCglkb2RvYyBzcmMvcmFjb29uL2RvYy8qCgoJZG9jaW50byByb2Fkd2FycmlvcgoJZG9kb2Mg c3JjL3JhY29vbi9zYW1wbGVzL3JvYWR3YXJyaW9yLyoKCglkb2NpbnRvIHJvYWR3YXJyaW9yL2Ns aWVudAoJZG9kb2Mgc3JjL3JhY29vbi9zYW1wbGVzL3JvYWR3YXJyaW9yL2NsaWVudC8qCglkb2Np bnRvIHJvYWR3YXJyaW9yL3NlcnZlcgoJZG9kb2Mgc3JjL3JhY29vbi9zYW1wbGVzL3JvYWR3YXJy aW9yL3NlcnZlci8qCgoJZG9jaW50byBzZXRrZXkKCWRvZG9jIHNyYy9zZXRrZXkvc2FtcGxlLmNm CgoJZG9kaXIgL2V0Yy9yYWNvb24KCgkjIFJGQyBhcmUgb25seSBhdmFpbGFibGUgZnJvbSBDVlMg Zm9yIHRoZSBtb21lbnQsIHNlZSBlaW5mbyBiZWxvdwoJI2RvY2ludG8gInJmYyIKCSNkb2RvYyAk e1N9L3NyYy9yYWNvb24vcmZjLyoKfQoKcGtnX3Bvc3RpbnN0KCkgewoJaWYgdXNlIG5hdDsgdGhl bgoJCWVsb2cKCQllbG9nICIgWW91IGhhdmUgZW5hYmxlZCB0aGUgbmF0IHRyYXZlcnNhbCBmdW5j dGlvbm5hbGl0eS4iCgkJZWxvZyAiIE5hdCB2ZXJzaW9ucyB3aWNoIGFyZSBlbmFibGVkIGJ5IGRl ZmF1bHQgYXJlIDAwLDAyLHJmYyIKCQllbG9nICIgeW91IGNhbiBmaW5kIHRob3NlIGRyYWZ0cyBp biB0aGUgQ1ZTIHJlcG9zaXRvcnk6IgoJCWVsb2cgImN2cyAtZCBhbm9uY3ZzQGFub25jdnMubmV0 YnNkLm9yZzovY3Zzcm9vdCBjbyBpcHNlYy10b29scyIKCQllbG9nCgkJZWxvZyAiSWYgeW91IGZl ZWwgYnJhdmUgZW5vdWdoIGFuZCB5b3Uga25vdyB3aGF0IHlvdSBhcmUiCgkJZWxvZyAiZG9pbmcs IHlvdSBjYW4gY29uc2lkZXIgZW1lcmdpbmcgdGhpcyBlYnVpbGQiCgkJZWxvZyAid2l0aCIKCQll bG9nICJFWFRSQV9FQ09ORj1cIi0tZW5hYmxlLW5hdHQtdmVyc2lvbnM9MDgsMDcsMDZcIiIKCQll bG9nCglmaTsKCglpZiB1c2UgbGRhcDsgdGhlbgoJCWVsb2cKCQllbG9nICIgWW91IGhhdmUgZW5h YmxlZCBsZGFwIHN1cHBvcnQgd2l0aCB7JFBOfS4iCgkJZWxvZyAiIFRoZSBtYW4gcGFnZSBkb2Vz IE5PVCBjb250YWluIGFueSBpbmZvcm1hdGlvbiBvbiBpdCB5ZXQuIgoJCWVsb2cgIiBDb25zaWRl ciB0byB1c2UgYSBtb3JlIHJlY2VudCB2ZXJzaW9uIG9yIENWUyIKCQllbG9nCglmaTsKCgllbG9n CgllbG9nICJQbGVhc2UgaGF2ZSBhIGxvb2sgaW4gL3Vzci9zaGFyZS9kb2MvJHtQfSBhbmQgdmlz aXQiCgllbG9nICJodHRwOi8vd3d3Lm5ldGJzZC5vcmcvRG9jdW1lbnRhdGlvbi9uZXR3b3JrL2lw c2VjLyIKCWVsb2cgInRvIGZpbmQgYSBsb3Qgb2YgaW5mb3JtYXRpb24gb24gaG93IHRvIGNvbmZp Z3VyZSB0aGlzIGdyZWF0IHRvb2wuIgoJZWxvZwp9CgojIHZpbTogc2V0IGZvbGRtZXRob2Q9bWFy a2VyIG5vd3JhcCA6Cg==