pidgin: Connects to Jabber server with bad SSL certificates without warning (CVE-2008-3532)

Debian Bug report logs - #492434
pidgin: Connects to Jabber server with bad SSL certificates without warning (CVE-2008-3532)

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@freedesktop.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pidgin: Connects to Jabber server with bad SSL certificates without warning

Date: Fri, 25 Jul 2008 20:03:02 -0700

Package: pidgin
Version: 2.4.3-1
Severity: grave
Tags: security
Justification: user security hole

I recently set up a Jabber server.  I used the default snakeoil
certificate.  When I configured Pidgin to connect to my new server,
using SSL, it connected without any complaint whatsoever.

- Josh Triplett

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pidgin depends on:
ii  gconf2                       2.22.0-1    GNOME configuration database syste
ii  libatk1.0-0                  1.22.0-1    The ATK accessibility toolkit
ii  libc6                        2.7-12      GNU C Library: Shared libraries
ii  libcairo2                    1.6.4-6     The Cairo 2D vector graphics libra
ii  libdbus-1-3                  1.2.1-2     simple interprocess messaging syst
ii  libdbus-glib-1-2             0.76-1      simple interprocess messaging syst
ii  libglib2.0-0                 2.16.4-2    The GLib library of C routines
ii  libgstreamer0.10-0           0.10.20-1   Core GStreamer libraries and eleme
ii  libgtk2.0-0                  2.12.11-3   The GTK+ graphical user interface 
ii  libgtkspell0                 2.0.13-1    a spell-checking addon for GTK's T
ii  libice6                      2:1.0.4-1   X11 Inter-Client Exchange library
ii  libpango1.0-0                1.20.5-1    Layout and rendering of internatio
ii  libpurple0                   2.4.3-1     multi-protocol instant messaging l
ii  libsm6                       2:1.0.3-2   X11 Session Management library
ii  libstartup-notification0     0.9-1       library for program launch feedbac
ii  libx11-6                     2:1.1.4-2   X11 client-side library
ii  libxss1                      1:1.1.3-1   X11 Screen Saver extension library
ii  perl                         5.10.0-11.1 Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10.0]   5.10.0-11.1 The Pathologically Eclectic Rubbis
ii  pidgin-data                  2.4.3-1     multi-protocol instant messaging c

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins-base    0.10.20-1  GStreamer plugins from the "base" 
ii  gstreamer0.10-plugins-good    0.10.8-4   GStreamer plugins from the "good" 

Versions of packages pidgin suggests:
ii  evolution-data-server         2.22.3-1   evolution database backend server
ii  gnome-panel                   2.20.3-5   launcher and docking facility for 
ii  libsqlite3-0                  3.5.9-3    SQLite 3 shared library

-- no debconf information

Message #8 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Josh Triplett <josh@freedesktop.org>, 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates without warning

Date: Sun, 27 Jul 2008 16:48:39 -0400

Is the server certificate present in /etc/ssl/certs or Tools->Certificates?

Message #13 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Miron Cuperman <c1.debian@niftybox.net>

To: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Sat, 02 Aug 2008 20:14:41 -0700

[Message part 1 (text/plain, inline)]

I believe this bug was introduced with the "fix" for bug #401567.

At that time, the SSL implementation was changed from GNUTLS to NSS.  
Unfortunately, the NSS plugin in pidgin does no certificate checking at 
all, meaning that any certificate is accepted (including malformed or 
self-signed ones).

I recommend switching back to gnutls.  Patch attached.  The attached 
patch also corrects a problem in reading the certificate store from 
/etc/ssl/certs .  (note that this patch is cumulative to 
00_debian-ca-certs.patch .)

Unfortunately, it is now the case that any passwords transmitted over an 
NSS created link could have been compromised by man-in-the-middle 
attacks, since many people use the PLAIN auth mechanism.  Any valuable 
passwords compromised in this way should be changed.

--
Miron

[gnutls.diff (text/x-diff, inline)]

diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules
--- pidgin-2.4.1/debian/rules	2008-08-02 19:04:58.000000000 -0700
+++ pidgin-2.4.1-gnutls/debian/rules	2008-08-02 18:43:49.000000000 -0700
@@ -20,7 +20,7 @@
 LDFLAGS = -Wl,--as-needed
 CFLAGS = -fstack-protector
 
-DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm --disable-silc
+DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm --disable-silc
 DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin
 DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so -dDepends
 
diff -ur pidgin-2.4.1/libpurple/certificate.c pidgin-2.4.1-gnutls/libpurple/certificate.c
--- pidgin-2.4.1/libpurple/certificate.c	2008-08-02 19:07:10.000000000 -0700
+++ pidgin-2.4.1-gnutls/libpurple/certificate.c	2008-08-02 18:56:25.000000000 -0700
@@ -745,7 +745,7 @@
 		x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
 						   "ca-certs", NULL));
 #else
-		x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
+		x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
 						   "ssl", "certs", NULL));
 #endif
 	}

Message #18 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Tyler MacDonald <tyler@yi.org>

To: Miron Cuperman <c1.debian@niftybox.net>

Cc: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Sat, 2 Aug 2008 20:50:09 -0700

tags 492434 patch
thanks


Miron Cuperman <c1.debian@niftybox.net> wrote:
> I believe this bug was introduced with the "fix" for bug #401567.
>
> At that time, the SSL implementation was changed from GNUTLS to NSS.   
> Unfortunately, the NSS plugin in pidgin does no certificate checking at  
> all, meaning that any certificate is accepted (including malformed or  
> self-signed ones).
>
> I recommend switching back to gnutls.  Patch attached.  The attached  
> patch also corrects a problem in reading the certificate store from  
> /etc/ssl/certs .  (note that this patch is cumulative to  
> 00_debian-ca-certs.patch .)
>
> Unfortunately, it is now the case that any passwords transmitted over an  
> NSS created link could have been compromised by man-in-the-middle  
> attacks, since many people use the PLAIN auth mechanism.  Any valuable  
> passwords compromised in this way should be changed.
>
> --
> Miron
>

> diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules
> --- pidgin-2.4.1/debian/rules	2008-08-02 19:04:58.000000000 -0700
> +++ pidgin-2.4.1-gnutls/debian/rules	2008-08-02 18:43:49.000000000 -0700
> @@ -20,7 +20,7 @@
>  LDFLAGS = -Wl,--as-needed
>  CFLAGS = -fstack-protector
>  
> -DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm --disable-silc
> +DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm --disable-silc
>  DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin
>  DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so -dDepends
>  
> diff -ur pidgin-2.4.1/libpurple/certificate.c pidgin-2.4.1-gnutls/libpurple/certificate.c
> --- pidgin-2.4.1/libpurple/certificate.c	2008-08-02 19:07:10.000000000 -0700
> +++ pidgin-2.4.1-gnutls/libpurple/certificate.c	2008-08-02 18:56:25.000000000 -0700
> @@ -745,7 +745,7 @@
>  		x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
>  						   "ca-certs", NULL));
>  #else
> -		x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
> +		x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
>  						   "ssl", "certs", NULL));
>  #endif
>  	}


-- 

Message #25 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Miron Cuperman <c1.debian@niftybox.net>, 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Sun, 03 Aug 2008 00:29:32 -0400

If what you say is correct, then most Pidgin installations are not
verifying certificates correctly and this isn't just a Debian problem.
Any patch needs to address the real issue, especially since upstream has
discouraged using GNUTLS.

Miron Cuperman wrote:
> I believe this bug was introduced with the "fix" for bug #401567.
> 
> At that time, the SSL implementation was changed from GNUTLS to NSS. 
> Unfortunately, the NSS plugin in pidgin does no certificate checking at
> all, meaning that any certificate is accepted (including malformed or
> self-signed ones).

Message #32 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Miron Cuperman <c1.debian@niftybox.net>

To: Ari Pollak <ari@debian.org>

Cc: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Sun, 03 Aug 2008 16:19:53 -0700

[Message part 1 (text/plain, inline)]

As requested, NSS patch submitted to Pidgin in forwarded bug report, so 
there's no need to switch to GNUTLS.

However, the second half of the patch above is still needed to grab CA 
certs from /etc/ssl/certs.  Attaching just that part.

[debian-ca-certs.patch (text/x-diff, inline)]

--- pidgin-2.4.1/libpurple/certificate.c
+++ pidgin-2.4.1.new/libpurple/certificate.c
@@ -745,8 +745,8 @@
 		x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
 						   "ca-certs", NULL));
 #else
-		x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
-						   "ssl", "certs", NULL));
+		x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
+						   "ssl", "certs", NULL));
 #endif
 	}
 

Message #37 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ethan Blanton <elb@psg.com>

To: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Wed, 6 Aug 2008 13:03:14 -0400

[Message part 1 (text/plain, inline)]

Why is a patch necessary to enable /etc/ssl/certs?  Does
--with-system-ssl-certs= not do what you need?  If so, we should fix
it, rather than applying additional hacks.

Ethan

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Ethan Blanton <elb@psg.com>, 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Wed, 06 Aug 2008 13:35:55 -0400

As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.

On Wed, 2008-08-06 at 13:03 -0400, Ethan Blanton wrote:
> Why is a patch necessary to enable /etc/ssl/certs?  Does
> --with-system-ssl-certs= not do what you need?  If so, we should fix
> it, rather than applying additional hacks.
> 
> Ethan

Message #47 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ethan Blanton <elb@psg.com>

To: Ari Pollak <ari@debian.org>

Cc: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Wed, 6 Aug 2008 14:43:23 -0400

[Message part 1 (text/plain, inline)]

Ari Pollak spake unto us the following wisdom:
> As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.

Whoops, an excellent point.  You might want to simply use the attached
(untested, but compiles and looks rather trivial) patch, instead,
which is from upstream.  It is upstream revision
90ed1fb17982cbb6355d5dd32d041b8c0027509b and
19703c67fa680f4ee37fb1ff944b7b3a0fcf18a4.

This option will be in 2.5.0 when it releases.  Sorry for the
confusion.  :-)  If *this* doesn't do what you need, let us know ASAP
and we'll make sure what you need is in 2.5.0.

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764

[with-system-ssl-certs.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 492434@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Ethan Blanton <elb@psg.com>

Cc: 492434@bugs.debian.org

Subject: Re: Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Date: Wed, 06 Aug 2008 15:22:34 -0400

On Wed, 2008-08-06 at 14:43 -0400, Ethan Blanton wrote:
> Whoops, an excellent point.  You might want to simply use the attached
> (untested, but compiles and looks rather trivial) patch, instead,
> which is from upstream.  It is upstream revision
> 90ed1fb17982cbb6355d5dd32d041b8c0027509b and
> 19703c67fa680f4ee37fb1ff944b7b3a0fcf18a4.

Unfortunately this means I'd have to re-run autoconf & automake during
build, which I'm trying to avoid doing. Since the current patch
essentially does the same thing in the end, I'll just switch to the
configure option for 2.5.0 and fix the path for now.

Message #59 received at 492434-close@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 492434-close@bugs.debian.org

Subject: Bug#492434: fixed in pidgin 2.4.3-2

Date: Fri, 22 Aug 2008 13:32:06 +0000

Source: pidgin
Source-Version: 2.4.3-2

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/finch-dev_2.4.3-2_all.deb
finch_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/finch_2.4.3-2_amd64.deb
libpurple-bin_2.4.3-2_all.deb
  to pool/main/p/pidgin/libpurple-bin_2.4.3-2_all.deb
libpurple-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/libpurple-dev_2.4.3-2_all.deb
libpurple0_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/libpurple0_2.4.3-2_amd64.deb
pidgin-data_2.4.3-2_all.deb
  to pool/main/p/pidgin/pidgin-data_2.4.3-2_all.deb
pidgin-dbg_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/pidgin-dbg_2.4.3-2_amd64.deb
pidgin-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/pidgin-dev_2.4.3-2_all.deb
pidgin_2.4.3-2.diff.gz
  to pool/main/p/pidgin/pidgin_2.4.3-2.diff.gz
pidgin_2.4.3-2.dsc
  to pool/main/p/pidgin/pidgin_2.4.3-2.dsc
pidgin_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/pidgin_2.4.3-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 492434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Thu, 21 Aug 2008 23:56:42 -0400
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.4.3-2
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 492434
Changes: 
 pidgin (2.4.3-2) unstable; urgency=low
 .
   * Apply patch from Miron Cuperman to fix path to CA certificates in
     00_debian-ca-certs.path
   * debian/patches/25_ssl-nss.patch:
     - Apply patch from upstream to add SSL certificate checking to the NSS
       plugin, which we use (CVE-2008-3532) (Closes: #492434)
Checksums-Sha1: 
 33442621042807e53c136caede7007823fabe016 1760 pidgin_2.4.3-2.dsc
 5ffb9f73789e6cb7b1a5b8189463883b7cf5b0cd 60877 pidgin_2.4.3-2.diff.gz
 585990093664cec5e74213c8ac4951fb80e627f0 7014222 pidgin-data_2.4.3-2_all.deb
 31fb43c88a32bb47345ea8bf5f183a42ea97cd8a 193246 pidgin-dev_2.4.3-2_all.deb
 e91e5d11788f39b74bca04a531d14e6acaff1533 155420 finch-dev_2.4.3-2_all.deb
 81377692a8477485253561f8e0ac130a5d81ed48 274612 libpurple-dev_2.4.3-2_all.deb
 068a3ad4594061b6b30245ff1f50ee00b21e4ea5 131656 libpurple-bin_2.4.3-2_all.deb
 60cbece5e5767fd67a74da57165dad0496b8aa7c 1711098 libpurple0_2.4.3-2_amd64.deb
 a7c42107ade9b3f70e0e21f8c4edb02cffe3ed72 727426 pidgin_2.4.3-2_amd64.deb
 a3a5b5466df522852eb6f757fdb4572a1e3ec92f 5663642 pidgin-dbg_2.4.3-2_amd64.deb
 8c5d7577d66d0a3277c2b01ba532c20672d6fbca 347578 finch_2.4.3-2_amd64.deb
Checksums-Sha256: 
 64ebb90eb49974754daa8dfe53ec310ba12c7667338b0e022645147efb5500f6 1760 pidgin_2.4.3-2.dsc
 7dbb871e7c276d107e365d82d79cfdb83bd3fee554b47061231af63e1ac9dbb3 60877 pidgin_2.4.3-2.diff.gz
 d34470b61efb29cf1246bcea2aacf82b8aa94e51784b2e86e36cb683c1f603db 7014222 pidgin-data_2.4.3-2_all.deb
 ab5a355bfcffbfd6e2afe3353395dc875233c3ac251ee798b92992a0af375426 193246 pidgin-dev_2.4.3-2_all.deb
 6d91a688b374427f83aeb83ea276da182fb6550199319a4f3639bb40b8f87499 155420 finch-dev_2.4.3-2_all.deb
 175046507fd273af3581cb877a3b565f3492da6a83975feded23a8eb9289e3af 274612 libpurple-dev_2.4.3-2_all.deb
 f44c7c04aa0f767ac6ac212bbe7794db030c80f39592d9c55c2e6c03e5e8b748 131656 libpurple-bin_2.4.3-2_all.deb
 8a358f008ef9e51afb76ea4e90b4b0f8b7e9a67588e6dec9c441c97bc0775a08 1711098 libpurple0_2.4.3-2_amd64.deb
 25d78ee4c192102a6312c4aa58442179eed5944c798d219ca7b3a3e21f6a7f4c 727426 pidgin_2.4.3-2_amd64.deb
 d5ea420a742e2fd90d4684d9e526b06bcc0d9771a6764dfd1477850d1d7d6162 5663642 pidgin-dbg_2.4.3-2_amd64.deb
 c4f61ed5e2d80c6761c4546df756f981a710754f44171a41945da82e2bd0589a 347578 finch_2.4.3-2_amd64.deb
Files: 
 3904b9f4f3be9cede29eb14f7220309b 1760 net optional pidgin_2.4.3-2.dsc
 1b6ce18d5f34c6a292485433bcbdcc4f 60877 net optional pidgin_2.4.3-2.diff.gz
 54a1010a30f8d9a683688853d914243a 7014222 net optional pidgin-data_2.4.3-2_all.deb
 61c922a030a6a93c7d4e814de8c1074d 193246 devel optional pidgin-dev_2.4.3-2_all.deb
 9a59d0f64b6de495e467df3deac65d71 155420 devel optional finch-dev_2.4.3-2_all.deb
 dd2190cb307bd62152f933df58787ac9 274612 libdevel optional libpurple-dev_2.4.3-2_all.deb
 2b621b7d01815c526642b4a3c8f7ca9d 131656 net optional libpurple-bin_2.4.3-2_all.deb
 2dc3eabf09a9b948ae7ee348e6c73b5c 1711098 net optional libpurple0_2.4.3-2_amd64.deb
 28f70122b4b1126010f6486da55201f2 727426 net optional pidgin_2.4.3-2_amd64.deb
 c7e0e2c0e36004f419917618fc341792 5663642 net extra pidgin-dbg_2.4.3-2_amd64.deb
 6509947cfa0bdeea20ea868705ae4880 347578 net optional finch_2.4.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkiuvroACgkQwO+u47cOQDuQwgCgg+wRDv9vLd0ftL09HHhvNzyG
fUIAnA3EpwmncxU5j4SgVsmxSfA4E/gD
=kguu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.