CVE-2006-5444: Remote compromise in chan_skinny

Debian Bug report logs - #394025
CVE-2006-5444: Remote compromise in chan_skinny

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Metlstorm <metlstorm@storm.net.nz>

To: submit@bugs.debian.org

Subject: Remote compromise

Date: Thu, 19 Oct 2006 11:49:55 +1300 (NZDT)

Package: asterisk
Version: 1.0.7.dfsg.1-2sarge3
Severity: Critical
Tags: Security

Asterisk 1.0 and 1.2 versions up to and including 1.2.12.1 and 1.0.11 are 
vulnerable to a remote, unauthenticated heap overflow leading to arbitrary 
code execution as root.

New upstream releases 1.0.12 and 1.2.13 provide patches for this problem.

No public expliot is currently known, but private proof-of-concept took 
less than a day.

More information is available in the security advisory from 
Security-Assessment, at http://www.security-assessment.com, or 
http://www.storm.net.nz/projects/18

---
Adam Boileau / Metlstorm

Message #10 received at 394025@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 394025@bugs.debian.org, control@bugs.debian.org

Subject: Re: Remote compromise

Date: Fri, 20 Oct 2006 02:23:33 +0100

[Message part 1 (text/plain, inline)]

forwarded 394025 http://bugs.digium.com/view.php?id=7770
tags 394025 + patch
thanks

I'm adding a reference to the upstream bug report in case you really
want to read further details of this clusterfuck.

The upstream change is simply:

--- asterisk-1.2.12.1/channels/chan_skinny.c
+++ asterisk-1.2.13/channels/chan_skinny.c
@@ -2863,6 +2863,10 @@
 			return -1;
 		}
 		dlen = letohl(*(int *)s->inbuf);
+		if (dlen < 0) {
+			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+			return -1;
+		}
 		if (dlen+8 > sizeof(s->inbuf)) {
 			dlen = sizeof(s->inbuf) - 8;
 		}
-- END --

The new test deals with the case where dlen is negative.  If dlen is a
large positive value the sum dlen+8 can overflow to become negative, but
thankfully it's compared with an unsigned value (type size_t is always
unsigned) so it will be implicitly converted to a large positive value
and replaced by the maximum acceptable length, as intended.

However, looking over this function, I realised there was another bug
right in front of me (reported upstream as
<http://bugs.digium.com/view.php?id=8186>).  The call to
ast_mutex_unlock() is unmatched; there's no way the calling thread can
hold the lock at this point, and nor should it (skinnysession::inbuf
isn't shared between multiple threads).  So I believe it should be
deleted.

Patch for sid:

--- asterisk-1.2.12.1.dfsg/channels/chan_skinny.c.orig	2006-10-19 23:05:19.000000000 +0000
+++ asterisk-1.2.12.1.dfsg/channels/chan_skinny.c	2006-10-19 23:43:34.000000000 +0000
@@ -2863,12 +2863,15 @@
 			return -1;
 		}
 		dlen = letohl(*(int *)s->inbuf);
+		if (dlen < 0) {
+			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+			return -1;
+		}
 		if (dlen+8 > sizeof(s->inbuf)) {
 			dlen = sizeof(s->inbuf) - 8;
 		}
 		*(int *)s->inbuf = htolel(dlen);
 		res = read(s->fd, s->inbuf+4, dlen+4);
-		ast_mutex_unlock(&s->lock);
 		if (res != (dlen+4)) {
 			ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
 			return -1;
-- END --

For sarge, there are two more problems:
1. The length is assumed to be in host byte order.
2. get_input() doesn't write back the modified length, so
skinny_req_parse() uses the original length.

I've combined the above changes with fixes for these:

--- asterisk-1.0.7.dfsg.1/channels/chan_skinny.c.orig	2006-10-20 00:10:49.000000000 +0000
+++ asterisk-1.0.7.dfsg.1/channels/chan_skinny.c	2006-10-20 00:16:37.000000000 +0000
@@ -2304,11 +2304,15 @@
 			ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
 			return -1;
 		}
-		dlen = *(int *)s->inbuf;
+		dlen = letohl(*(int *)s->inbuf);
+		if (dlen < 0) {
+			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+			return -1;
+		}
 		if (dlen+8 > sizeof(s->inbuf))
 			dlen = sizeof(s->inbuf) - 8;
+		*(int *)s->inbuf = htolel(dlen);
 		res = read(s->fd, s->inbuf+4, dlen+4);
-		ast_mutex_unlock(&s->lock);
 		if (res != (dlen+4)) {
 			ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
 			return -1;
@@ -2328,7 +2332,7 @@
 	}
 	memset(req, 0, sizeof(skinny_req));
 	/* +8 to account for reserved and length fields */
-	memcpy(req, s->inbuf, *(int*)(s->inbuf)+8); 
+	memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8); 
 	if (req->e < 0) {
 		ast_log(LOG_ERROR, "Event Message is NULL from socket %d, This is bad\n", s->fd);
 		free(req);
-- END --

These changes are untested, beyond verifying that the packages still
build.  I attempted a simple denial of service with the following Python
code:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.connect(('127.0.0.1', 2000))
s.send('\xFA\xFF\xFF\xFF')
junk = '\xDE\xAD\xBE\xEF' * 1024
while True:
    s.send(junk)

However, the second read() call in get_input() fails immediately with
with EFAULT, which I should have expected, and the connection is
dropped.  Since Linux's read() verifies that the entire length of the
buffer is writeable before modifying any of it, I'm not convinced that
this is actually exploitable on Linux.

Ben.

-- 
Ben Hutchings -- ben@decadentplace.org.uk shortened to ben@decadent.org.uk
If you've signed my GPG key, please send a signature on and to the new uid.
Experience is what causes a person to make new mistakes instead of old ones.

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 394025@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 394025@bugs.debian.org

Subject: Re: my patch

Date: Sat, 21 Oct 2006 18:44:48 +0000

[Message part 1 (text/plain, inline)]

Upstream confirmed that the ast_mutex_unlock() is bogus.

Ben.

-- 
Ben Hutchings -- ben@decadentplace.org.uk shortened to ben@decadent.org.uk
If you've signed my GPG key, please send a signature on and to the new uid.
In a hierarchy, every employee tends to rise to his level of incompetence.

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 394025@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 394025@bugs.debian.org

Subject: Re: Remote compromise

Date: Mon, 23 Oct 2006 00:41:54 +0100

[Message part 1 (text/plain, inline)]

The submitter sent me private mail, telling me:
- a little more explanation of how this can be exploited
- that this is exploitable in a stock installation in sarge
- that read() can overwrite part of the buffer before returning EFAULT
- that company policy forbids him from providing a working exploit

I think we'll have to work on the basis that the upstream fix is
necessary and sufficient.

Ben.

-- 
Ben Hutchings -- ben@decadentplace.org.uk shortened to ben@decadent.org.uk
If you've signed my GPG key, please send a signature on and to the new uid.
Sturgeon's Law: Ninety percent of everything is crap.

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 394025-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 394025-close@bugs.debian.org

Subject: Bug#394025: fixed in asterisk 1:1.2.13~dfsg-1

Date: Tue, 24 Oct 2006 23:32:19 -0700

Source: asterisk
Source-Version: 1:1.2.13~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-bristuff_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-1_i386.deb
asterisk-classic_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-classic_1.2.13~dfsg-1_i386.deb
asterisk-config_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.2.13~dfsg-1_all.deb
asterisk-dev_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.2.13~dfsg-1_all.deb
asterisk-doc_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.2.13~dfsg-1_all.deb
asterisk-h423_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.2.13~dfsg-1_i386.deb
asterisk-sounds-main_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-1_all.deb
asterisk-web-vmail_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.diff.gz
asterisk_1.2.13~dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.dsc
asterisk_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 394025@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 Oct 2006 06:46:52 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.13~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
 asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h423 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 338116 342138 348194 375141 386113 389376 394025 394122 395080
Changes: 
 asterisk (1:1.2.13~dfsg-1) unstable; urgency=high
 .
   [ Kilian Krause ]
   * Fixup dfsg versions with increased upstream build count.
 .
   [ Santiago Ruano Rincón ]
   * Added cdr_sqlite3_custom dpatch
 .
   [ Mark Purcell ]
   * New upstream release
     - Remote compromise (Closes: #394025)
     - CVE-2006-5444/5:security issues in asterisk (Closes: #395080)
     - Urgency high as this fixes remote compromise security issue
     - Information disclosure of voice mail messages through vmail.cgi
     (Closes: #338116)
     - package asterisk-dev should contain asterisk.h main header (Closes:
     #342138)
     - format_ogg_vorbis.so was present in i386, no longer in packages
     (Closes: #375141)
   * Update debian/patches/bristuff.dpatch
   * bristuff-0.3.0-PRE-1v
     - Please package bristuff 0.3.0PREu (Closes: #394122)
     - please include app_pickup.c from bristuff (Closes: #348194)
   * Build Depends: dpkg ( >= 1.13.19)
     - Asterisk must build-depend upon dpkg ( >= 1.13.19) (Closes: #386113)
   * Build-Depends: libpq-dev
     - obsolete build dependency postgresql-dev (Closes: #389376)
Files: 
 14426527db1c7abf12a02b745cae91b0 1395 comm optional asterisk_1.2.13~dfsg-1.dsc
 f8ee088b2e4feffe2b35d78079f90b69 3835589 comm optional asterisk_1.2.13~dfsg.orig.tar.gz
 a75d403e861600e0a50e5d3f5688985f 173367 comm optional asterisk_1.2.13~dfsg-1.diff.gz
 e9a80c1e404ac596ba7c31074e348e7b 145536 comm optional asterisk_1.2.13~dfsg-1_all.deb
 73d0100ba93d2f1193c9e227be83d8e5 19121500 doc optional asterisk-doc_1.2.13~dfsg-1_all.deb
 f25a5e8e52b262c07d3645024f6e1b14 168992 devel optional asterisk-dev_1.2.13~dfsg-1_all.deb
 189167a3c013dda5bb26b80c1518f313 1503672 comm optional asterisk-sounds-main_1.2.13~dfsg-1_all.deb
 0d31a0872756006e310c64e171f1e268 72796 comm optional asterisk-web-vmail_1.2.13~dfsg-1_all.deb
 ecae111f8aa9e43ee65e31dcac7e0e3b 130726 comm optional asterisk-config_1.2.13~dfsg-1_all.deb
 8da1c58282bcfccc944ab62f3f35321a 1614394 comm optional asterisk-classic_1.2.13~dfsg-1_i386.deb
 0e6df112a50fb2d859e713e2a1922c95 1647624 comm optional asterisk-bristuff_1.2.13~dfsg-1_i386.deb
 46e7f3bf3fbbfb248fc20ae839b7a854 129878 comm optional asterisk-h423_1.2.13~dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFPv4ToCzanz0IthIRAlenAJ9wJZlZlwJB7pGtrhrC916T9FZprACfYtx+
fpIysXNrCHdbPtaFLWqZfL8=
=y4D5
-----END PGP SIGNATURE-----

Message #36 received at 394025@bugs.debian.org (full text, mbox, reply):

From: Brandon Kruse <bkruse@digium.com>

To: 394025@bugs.debian.org

Date: Sun, 5 Nov 2006 13:19:56 -0600 (CST)

This bug has been resolved

and is only active if you load chan_skinny by default



this does NOT affect asterisk business edition

If you dont want to mess around with the modules.conf and no load

update to 1.2.13

all the "security fixes" are applied on that release.

Message #43 received at 394025@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 394025@bugs.debian.org

Subject: Re: CVE-2006-5444: Remote compromise in chan_skinny

Date: Sat, 25 Nov 2006 17:20:59 +0000

[Message part 1 (text/plain, inline)]

Enough stalling.  Here's a debdiff for a sarge security update.  I have
tested that the warning message is certainly triggered by the bogus
length values Adam found.  I *think* the bug may only be exploitable on
64-bit systems, as read() calls seem to fail immediately where the
length would result in wrapping around the virtual address space.  I
don't have a 64-bit system to test on.

I removed the letohl() calls because the function doesn't exist in
Asterisk 1.0.7 and it wouldn't fix the whole problem (and I don't know
quite what would need to be changed to do so).  If any of the so-called
"maintainers" actually care about this package they could perhaps
arrange to disable chan_skinny on big-endian platforms in this security
update, since it can't work properly and the endian bugs might pose
other security problems.

Ben.

diff -u asterisk-1.0.7.dfsg.1/debian/patches/00list asterisk-1.0.7.dfsg.1/debian/patches/00list
--- asterisk-1.0.7.dfsg.1/debian/patches/00list
+++ asterisk-1.0.7.dfsg.1/debian/patches/00list
@@ -18,0 +19,1 @@
+99_CVE-2006-5444.dpatch
diff -u asterisk-1.0.7.dfsg.1/debian/changelog asterisk-1.0.7.dfsg.1/debian/changelog
--- asterisk-1.0.7.dfsg.1/debian/changelog
+++ asterisk-1.0.7.dfsg.1/debian/changelog
@@ -1,3 +1,12 @@
+asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
+
+  * Non-maintainer upload
+  * Backported fix for buffer overflow in chan_skinny driver
+    induced by an undetected integer underflow
+    [debian/patches/99_CVE-2006-5444.dpatch] (Closes: #394025)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 25 Nov 2006 16:12:26 +0000
+
 asterisk (1:1.0.7.dfsg.1-2sarge3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch4:
unchanged:
--- asterisk-1.0.7.dfsg.1.orig/debian/patches/99_CVE-2006-5444.dpatch
+++ asterisk-1.0.7.dfsg.1/debian/patches/99_CVE-2006-5444.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-5444.dpatch by <ben@decadent.org.uk>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in chan_skinny driver induced by an undetected
+## DP: integer underflow (CVE-2006-5444).
+## DP: Remove bogus mutex unlock in case it can cause denial of service.
+
+@DPATCH@
+--- asterisk-1.0.7.dfsg.1/channels/chan_skinny.c.orig	2006-10-20 00:10:49.000000000 +0000
++++ asterisk-1.0.7.dfsg.1/channels/chan_skinny.c	2006-10-20 00:16:37.000000000 +0000
+@@ -2305,10 +2305,14 @@
+ 			return -1;
+ 		}
+ 		dlen = *(int *)s->inbuf;
++		if (dlen < 0) {
++			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
++			return -1;
++		}
+ 		if (dlen+8 > sizeof(s->inbuf))
+ 			dlen = sizeof(s->inbuf) - 8;
++		*(int *)s->inbuf = dlen;
+ 		res = read(s->fd, s->inbuf+4, dlen+4);
+-		ast_mutex_unlock(&s->lock);
+ 		if (res != (dlen+4)) {
+ 			ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
+ 			return -1;
-- END --

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 394025-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 394025-close@bugs.debian.org

Subject: Bug#394025: fixed in asterisk 1:1.0.7.dfsg.1-2sarge4

Date: Sat, 17 Feb 2007 12:09:53 +0000

Source: asterisk
Source-Version: 1:1.0.7.dfsg.1-2sarge4

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb
  to pool/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb
asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb
asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb
asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_powerpc.deb
  to pool/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_powerpc.deb
asterisk-h423_1.0.7.dfsg.1-2sarge4_powerpc.deb
  to pool/main/a/asterisk/asterisk-h423_1.0.7.dfsg.1-2sarge4_powerpc.deb
asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb
asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb
asterisk_1.0.7.dfsg.1-2sarge4.diff.gz
  to pool/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz
asterisk_1.0.7.dfsg.1-2sarge4.dsc
  to pool/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.dsc
asterisk_1.0.7.dfsg.1-2sarge4_powerpc.deb
  to pool/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 394025@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 25 Nov 2006 16:12:26 +0000
Source: asterisk
Binary: asterisk-sounds-main asterisk-h423 asterisk-web-vmail asterisk-gtk-console asterisk asterisk-config asterisk-dev asterisk-doc
Architecture: source all powerpc
Version: 1:1.0.7.dfsg.1-2sarge4
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <joey@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 asterisk   - open source Private Branch Exchange (PBX)
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-gtk-console - gtk based console for asterisk
 asterisk-h423 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - web based (GCI) voice mail interface for asterisk
Closes: 394025
Changes: 
 asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
 .
   * Non-maintainer upload
   * Backported fix for buffer overflow in chan_skinny driver
     induced by an undetected integer underflow
     [debian/patches/99_CVE-2006-5444.dpatch] (Closes: #394025)
Files: 
 2441c1ccc8467ecefc45b58711b9602f 1259 comm optional asterisk_1.0.7.dfsg.1-2sarge4.dsc
 17c8aaae715230d9ea8d0485eb7cfe95 70588 comm optional asterisk_1.0.7.dfsg.1-2sarge4.diff.gz
 a5ddadc5ba22723d32a74a2bc4fb9dfc 1577766 doc optional asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb
 0fda6ac9d47e7d5bcd9786c7ab17ebd5 83382 devel optional asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb
 bf9fae8e20a5e299d1c24e5fce59ee96 1180298 comm optional asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb
 eb425bfc6db224dd17346c0a03f06853 28378 comm optional asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb
 84dd16720f492033c5c034b69f033f7f 61616 comm optional asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb
 dae96f2c81168d452cd05b70316632db 1425172 comm optional asterisk_1.0.7.dfsg.1-2sarge4_powerpc.deb
 fafe504d906ab206c8c66c558ca866c5 21444 comm optional asterisk-h423_1.0.7.dfsg.1-2sarge4_powerpc.deb
 86982177ea3ab8dd23daa989e976c316 31166 comm optional asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFaJM3W5ql+IAeqTIRAtQ5AJ9baVC7WlGwgHpihQOiwUROtMelAACePDmV
eDeXS9+NmIqzWnKXsWmaObY=
=VS7e
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.