Please take upstream D-Bus patches for CVE-2012-3524

Debian Bug report logs - #689070
Please take upstream D-Bus patches for CVE-2012-3524

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Geoffrey Thomas <gthomas@mokafive.com>

To: submit@bugs.debian.org

Subject: Please take upstream D-Bus patches for CVE-2012-3524

Date: Fri, 28 Sep 2012 14:30:37 -0700

Package: dbus
Severity: serious
Justification: local privilege escalation
Tags: security

Hi,

CVE-2012-3524 is about setuid binaries linking libdbus being easily 
trickable to do bad things via a malicious PATH (for finding dbus-launch), 
or through a DBUS_* address variable using the unixexec address type. 
Initially the D-Bus developers thought that this should be fixed on the 
application side (hence the comment in the security-tracker), but decided 
that it would be better to have a defense-in-depth approach, and change 
_dbus_getenv to not succeed if the current program is setuid or similar, 
since that's faster than patching every relevant program.

There's a patch in the D-Bus 1.6.6 release that implements this. Many 
other distros, including RHEL/Fedora, SUSE, and Ubuntu have taken this 
patch already. There are some other hardening things in the 1.6.6 release 
that broke gnome-keyring, prompting a 1.6.8 release a few hours later to 
revert those; you should either take 1.6.8, or just backport the four 
patches that weren't reverted in 1.6.8:

http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0
http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5

I think these are all easily backportable, but I'm happy to supply a 
debdiff if that'd make it easier for you.

More discussion of the issue can be found at

https://bugs.freedesktop.org/show_bug.cgi?id=52202
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://seclists.org/oss-sec/2012/q3/29

-- 
Geoffrey Thomas
gthomas@mokafive.com

Message #12 received at 689070-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 689070-close@bugs.debian.org

Subject: Bug#689070: fixed in dbus 1.6.8-1

Date: Sat, 29 Sep 2012 13:47:38 +0000

Source: dbus
Source-Version: 1.6.8-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Sep 2012 13:25:50 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source amd64 all
Version: 1.6.8-1
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 689070
Changes: 
 dbus (1.6.8-1) unstable; urgency=low
 .
   * Merge from experimental
   * New upstream stable release 1.6.6
     - CVE-2012-3524: mitigates arbitrary code execution in setuid or otherwise
       privileged binaries that use libdbus without first sanitizing the
       environment variables inherited from their less-privileged caller
       (Closes: #689070)
   * New upstream stable release 1.6.8
     - Revert part of 1.6.6 (do not check filesystem capabilities, only
       setuid/setgid), fixing regressions in certain configurations of
       gnome-keyring
Checksums-Sha1: 
 234b9a8b2fa797ad84be2a9038ddead6dfaa3420 2507 dbus_1.6.8-1.dsc
 d9634807d1de9b64727ae2178e3af2227fca0fca 1929630 dbus_1.6.8.orig.tar.gz
 f0a3048a7be5f8863d0e58607518e1a1e6dff623 34098 dbus_1.6.8-1.debian.tar.gz
 06ede6f95ef38daf4d0a028ff9c988204615ac21 398676 dbus_1.6.8-1_amd64.deb
 b580d21551838927b655d7e11785ca29a388668e 59500 dbus-x11_1.6.8-1_amd64.deb
 8a8f69e0503f48210e6c1b057b5b05b8b3d1dd09 172520 libdbus-1-3_1.6.8-1_amd64.deb
 439f90f4b67634c156635bd276e590d0f0afb0d2 2382134 dbus-1-doc_1.6.8-1_all.deb
 13567fd61f9da86c220e8c98d336c201783457e7 246330 libdbus-1-dev_1.6.8-1_amd64.deb
 f70e128ec791dfdffe8c2350d4cf8e4bed9c4988 8286430 dbus-1-dbg_1.6.8-1_amd64.deb
Checksums-Sha256: 
 e7648d5fccbe7e247196e4bdc3aee35f2956d0aba98498033a41403e63c1745c 2507 dbus_1.6.8-1.dsc
 fc1370ef38abeeb13f55c905ec002e60705fb0bfde3b8d21c8d6eb8056c11bac 1929630 dbus_1.6.8.orig.tar.gz
 f78c9434b25e0ca551919dd9d9eca7bfb46f470e53aea483d690b47f80cd5835 34098 dbus_1.6.8-1.debian.tar.gz
 6135c3779d7ee36ef01b4d96cf69022e1ed73670f80af6e32b72d43835d3c856 398676 dbus_1.6.8-1_amd64.deb
 e3af3ae8caf8ca043261f6b72bedf5296a4d8a02024aff828aa8ce70c7137895 59500 dbus-x11_1.6.8-1_amd64.deb
 d706d2bb92c67987fa54c00c54f399887c0a4734fb324c12f7e4164cf9d83322 172520 libdbus-1-3_1.6.8-1_amd64.deb
 a289feb4dc0878e80575d67e11cdfe8666b8d06413f7eb318bda11fb4ea5b4da 2382134 dbus-1-doc_1.6.8-1_all.deb
 085de58916cdb39cd0fa44ba3f2db9db36557b16bd2790ad76f398c18df38286 246330 libdbus-1-dev_1.6.8-1_amd64.deb
 05eab24e5c9dab26495c2d7c7a31d8f777397dbce3841f732d240fff42558621 8286430 dbus-1-dbg_1.6.8-1_amd64.deb
Files: 
 120224505701be2e56be52bbfeaca7be 2507 admin optional dbus_1.6.8-1.dsc
 3bf059c7dd5eda5f539a1b7cfe7a14a2 1929630 admin optional dbus_1.6.8.orig.tar.gz
 cb066f6ee6c8ff6ad649cdfe07f2a11e 34098 admin optional dbus_1.6.8-1.debian.tar.gz
 cda80974dbc531bfc7396178e5820b99 398676 admin optional dbus_1.6.8-1_amd64.deb
 693f16496139cb0730f6f1d3b9efafd7 59500 x11 optional dbus-x11_1.6.8-1_amd64.deb
 db9fa3edcb358ddf0a53efda49a4bb60 172520 libs optional libdbus-1-3_1.6.8-1_amd64.deb
 28c39e833545c1011cbbd8cbc137e972 2382134 doc optional dbus-1-doc_1.6.8-1_all.deb
 19c4bcf5b9bf3b0c4e042f718466f489 246330 libdevel optional libdbus-1-dev_1.6.8-1_amd64.deb
 2c95d339a17f9f499e3637a1aaf90dfb 8286430 debug extra dbus-1-dbg_1.6.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUGb5c03o/ypjx8yQAQheEQ//SnzZHbcozOPMzDpQwTfE0PqHH811cknM
a4rePU8+ENT+CQmk+UJfibxdRbrcmd6dPxFmmuszlXyy2DMaydm6pwfLmJ5OScPy
311Mo7Q8+5Aoj1JCZJXkUUg5gMR5c+/wND4YfPkAQi+1jBzUTPhjIpTKAo9OXtIa
MHhoCHJSIIxLpongCu5nQROAPTAZfUDlPKOZu+26U0f3a3ysdE/f/6UKedKiMhmi
iUOHSZU3VJKjAiVhSVcju8kcN+xO4MBKT3CfmXlrVqHAPANjUxFEEtqf5Wyq3pOG
XQxHKxnimfZ0QfaU3xHuJHwdjLpWFpMVengTPdDo6dDayvYZoyJZdUvTwZCtGBh8
Fjlu3Z1kMvSo/rfFzvNEcm+XnIO3Vp4l1FeW3fTvIlBl6DER6Yxe232u8H2798aR
2u4P1+bc5hscmx4U6xzWlE8/I2KULRhkajcISk2kyOZbP7Oq9Z5P3nryOPx7uKcZ
TuErirqdFzYb8ItvaC3CX94n2MCGNLqU54ItXuGkNoUA1ZpEccFzp4pXZaJ6D2Yf
RwbzfOwQ7t0u9PhWMEevjugBVXEdjB3Z9GvsOaQ7lBkkwId2wMqvJFFbKil2QA8w
w/wbMA+FpH1BmbpAhIrODCWXviywthJyQT/KN4kJu8k6e/hggiRcltnAAk/ngHbZ
ExCWNOQXC+U=
=BZ7A
-----END PGP SIGNATURE-----

Message #17 received at 689070@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Geoffrey Thomas <gthomas@mokafive.com>, 689070@bugs.debian.org

Subject: Re: Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524

Date: Sat, 29 Sep 2012 15:44:38 +0100

On Fri, 28 Sep 2012 at 14:30:37 -0700, Geoffrey Thomas wrote:
> CVE-2012-3524 is about setuid binaries linking libdbus being easily
> trickable to do bad things via a malicious PATH (for finding
> dbus-launch), or through a DBUS_* address variable using the
> unixexec address type.

This also affects reimplementations of D-Bus, most prominently GDBus
in GLib; src:dbus can't do anything to help those.

I believe the libdbus part of this CVE affects wheezy and certain unusual
squeeze configurations. The known vectors for privilege escalation are:

* tell libdbus (explicitly or via it being the session-bus default) to
  connect to autolaunch: which results in it exec'ing dbus-launch;
  have it not find dbus-launch in its configured ${bindir};
  have it find a malicious dbus-launch substitute in its $PATH

* tell libdbus to connect to unixexec:something-malicious

The former is only exploitable if there is no ${bindir}/dbus-launch.
On some distributions, D-Bus is configured with ${prefix} = /, but
dbus-launch is moved to /usr/bin by the packager because it depends on libX11.
As a result, libdbus tries /bin/dbus-launch, never finds it, and falls
back to searching the $PATH, where it hopefully finds /usr/bin/dbus-launch.

However, on Debian, we do the opposite: configure D-Bus with ${prefix} = /usr,
and move libdbus-1.so.3 into /lib in the packaging. As a result, the only
way to not find dbus-launch in /usr/bin is if you have libdbus-1-3 but not
dbus-x11. This mitigates the attack somewhat.

> Initially the D-Bus developers thought that
> this should be fixed on the application side (hence the comment in
> the security-tracker), but decided that it would be better to have a
> defense-in-depth approach, and change _dbus_getenv to not succeed if
> the current program is setuid or similar, since that's faster than
> patching every relevant program.

I still think this is an application bug - it's the application that
knows it is (or claims to be) setuid-safe - but yes, we should do both.

    S

Message #22 received at 689070@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 689070@bugs.debian.org

Cc: Geoffrey Thomas <gthomas@mokafive.com>

Subject: Re: Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524

Date: Sat, 29 Sep 2012 16:03:34 +0100

On 29/09/12 15:44, Simon McVittie wrote:
> I believe the libdbus part of this CVE affects wheezy and certain unusual
> squeeze configurations. The known vectors for privilege escalation are:
> 
> * tell libdbus (explicitly or via it being the session-bus default) to
>   connect to autolaunch: which results in it exec'ing dbus-launch;
>   have it not find dbus-launch in its configured ${bindir};
>   have it find a malicious dbus-launch substitute in its $PATH
> 
> * tell libdbus to connect to unixexec:something-malicious
> 
> The former is only exploitable if [... dbus-x11 is absent ...]

... and the latter is only exploitable in D-Bus 1.5.something or later,
because unixexec is a relatively new feature; so it affects wheezy but
not squeeze.

    S

Message #27 received at 689070@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: security@debian.org, 689070@bugs.debian.org

Subject: Re: Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524

Date: Sat, 29 Sep 2012 16:58:55 +0100

[Message part 1 (text/plain, inline)]

On 28/09/12 22:30, Geoffrey Thomas wrote:
> CVE-2012-3524 is about setuid binaries linking libdbus being easily
> trickable to do bad things via a malicious PATH (for finding
> dbus-launch), or through a DBUS_* address variable using the unixexec
> address type.

Potentially-vulnerable binaries are anything that is setuid and links
either libdbus-1.so.3 (CVE-2012-3524), directly or via e.g.
libpam-systemd or libhal, or libgio-2.0.so.0 >= 2.26 (CVE-2012-4425).
squeeze's libgio-2.0 is too old to be vulnerable to this anyway (it
doesn't have a D-Bus implementation).

I consider patching the libraries to be defence-in-depth, rather than a
real solution: the real solution is for setuid binaries to clear their
caller-supplied environments before they call into non-trivial
libraries. Nevertheless, patching libdbus is the most expedient way to
become less exploitable.

Security team: do you want to handle this for squeeze as a security
update, or a normal stable update? I attach a proposed debdiff;
s/stable/stable-security/ if desired.

The "unixexec" attack vector for arbitrary code execution doesn't work
for squeeze, because that feature is too new. I believe the dbus-launch
attack vector for arbitrary code execution only works if you have
libdbus-1-3 and a vulnerable setuid binary that links it, but not
dbus-x11. There are also some less severe attack vectors involving
revealing part of a normally-unreadable file via the nonce-tcp
transport, or sending the beginning of a D-Bus handshake to a
normally-unavailable Unix socket; these will work in squeeze too.

The specific binaries I'm aware of that are likely to be vulnerable in
squeeze are:

* Xorg when linked to libhal and run via /usr/bin/X (only on non-Linux,
  because it isn't linked to libdbus any more on Linux; unconfirmed)

and in wheezy:

* Xorg on non-Linux, as in squeeze
* su with libpam-systemd (unconfirmed but likely)
* sudo with libpam-systemd (unconfirmed; might be unaffected,
  since it's pretty careful with its environment)
* spice-gtk (confirmed to be vulnerable to CVE-2012-4425,
  I opened #689155)

I haven't done a whole-archive scan or anything, though.

For sid, CVE-2012-3524 is fixed by dbus/1.6.8-1.

For wheezy, it will be fixed in 1.6.8-1 if the release team let it
migrate, and/or 1.6.0-2 (not yet uploaded) if they want to go via t-p-u.
See #689148 for the release-team interaction.

To help with testing, I attach a relatively harmless version of an
exploit for this vulnerability: it creates a vulnerable setuid-nobody
binary, and tries to use it to "escalate" privileges from the real user
to nobody. It requires sudo privileges to chown/chmod the vulnerable
binary, but does not use them for the actual exploit.

The good result is if you get syslog messages like this:

Sep 29 16:27:24 archetype cve-2012-3524: begin
Sep 29 16:27:24 archetype cve-2012-3524: end

A bad result looks more like this:

cve-2012-3524: begin
evil-dbus-launch-substitute: uid=1000(smcv) gid=1000(smcv)
euid=65534(nobody) ...
cve-2012-3524: end

(you'll get up to two evil-dbus-launch-substitute lines, depending which
version(s) of the attack worked).

Regards,
    S

[dbus_1.2.24-4+squeeze2_proposed.diff (text/x-patch, attachment)]

[cve-2012-3524.sh (application/x-shellscript, attachment)]

Message #34 received at 689070@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Simon McVittie <smcv@debian.org>

Cc: security@debian.org, 689070@bugs.debian.org

Subject: Re: Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524

Date: Mon, 1 Oct 2012 21:50:06 +0200

On Sat, Sep 29, 2012 at 04:58:55PM +0100, Simon McVittie wrote:
> On 28/09/12 22:30, Geoffrey Thomas wrote:
> > CVE-2012-3524 is about setuid binaries linking libdbus being easily
> > trickable to do bad things via a malicious PATH (for finding
> > dbus-launch), or through a DBUS_* address variable using the unixexec
> > address type.
> 
> Potentially-vulnerable binaries are anything that is setuid and links
> either libdbus-1.so.3 (CVE-2012-3524), directly or via e.g.
> libpam-systemd or libhal, or libgio-2.0.so.0 >= 2.26 (CVE-2012-4425).
> squeeze's libgio-2.0 is too old to be vulnerable to this anyway (it
> doesn't have a D-Bus implementation).
> 
> I consider patching the libraries to be defence-in-depth, rather than a
> real solution: the real solution is for setuid binaries to clear their
> caller-supplied environments before they call into non-trivial
> libraries. Nevertheless, patching libdbus is the most expedient way to
> become less exploitable.
> 
> Security team: do you want to handle this for squeeze as a security
> update, or a normal stable update? I attach a proposed debdiff;
> s/stable/stable-security/ if desired.

Thanks for the verbose description of the situation. I had already
started to investigated this issue and your assessments agrees with
my findings so far.

The fix for stable can go in via stable-proposed-updates. 
 
Cheers,
        Moritz

Message #41 received at 689070-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 689070-close@bugs.debian.org

Subject: Bug#689070: fixed in dbus 1.2.24-4+squeeze2

Date: Sat, 12 Jan 2013 23:47:04 +0000

Source: dbus
Source-Version: 1.2.24-4+squeeze2

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 04 Oct 2012 08:47:10 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source all i386
Version: 1.2.24-4+squeeze2
Distribution: squeeze
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 689070
Changes: 
 dbus (1.2.24-4+squeeze2) stable; urgency=low
 .
   * CVE-2012-3524: apply patches from upstream 1.6.6 to avoid arbitrary
     code execution in setuid/setgid binaries that incorrectly use libdbus
     without first sanitizing the environment variables inherited from
     their less-privileged caller (Closes: #689070).
     - As per upstream 1.6.8, do not check filesystem capabilities for now,
       only setuid/setgid, fixing regressions in certain configurations of
       gnome-keyring
Checksums-Sha1: 
 eac32b869c61bd5d847be756a340fe7cd5a7d23e 2186 dbus_1.2.24-4+squeeze2.dsc
 94ee1a0ac39aeffd1e376ef7029d35afd7a60179 37961 dbus_1.2.24-4+squeeze2.debian.tar.gz
 b00fc229b77fd00cbc3fb825cc650431c69c2d73 1837900 dbus-1-doc_1.2.24-4+squeeze2_all.deb
 6f4f5ea0851ace56f03acb222c19071f9599d239 213666 dbus_1.2.24-4+squeeze2_i386.deb
 4e501b3ac3d77e35edbf4d6366ca6dbd05e9ae60 42564 dbus-x11_1.2.24-4+squeeze2_i386.deb
 ab10693f2ec6a50fd07dc9863b07fa78d9305cc8 130512 libdbus-1-3_1.2.24-4+squeeze2_i386.deb
 99c8cdfd13bce8df56770c670230f7887820d7b0 221096 libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
 e73b75d59d6eed63f7aa8616dd8cfdc9fca0001a 770860 dbus-1-dbg_1.2.24-4+squeeze2_i386.deb
Checksums-Sha256: 
 6660bed259a4bbb5e15788bf305c8b2465acb2a33dbb1d01f23d6fca2ac5cfd0 2186 dbus_1.2.24-4+squeeze2.dsc
 a32dd583f3cc6a5aef6897e8b792510c21092d1b0d5655c2755b0af4be855964 37961 dbus_1.2.24-4+squeeze2.debian.tar.gz
 87a4669d904f843c0037d23a9b68b0d1283aa93179b9ca06c384c3b7756bc743 1837900 dbus-1-doc_1.2.24-4+squeeze2_all.deb
 2c4e9aa80db1d0eb95b55b7373975a5c4dacdccd6da056a700c14aef630aac25 213666 dbus_1.2.24-4+squeeze2_i386.deb
 0563cf55a3a03904827db461f35269465ad0a8ab5c6d92889ead5cc5540e22e8 42564 dbus-x11_1.2.24-4+squeeze2_i386.deb
 bb9e6cca67fcc5b6c27c4674d89d862da0e5ea8eb66b4c8833b0daacdf3138fe 130512 libdbus-1-3_1.2.24-4+squeeze2_i386.deb
 7457a9d32a5ae686841f3099b2813e965b8d09e32dc7c04b5efb171ce51349ad 221096 libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
 82f2ea80d494f73abaf9273c10bb1bcbe0fd77ceed7213bcf550f2e31ecc72fe 770860 dbus-1-dbg_1.2.24-4+squeeze2_i386.deb
Files: 
 d2bb0c9a9cbbef845d579c34291c50c2 2186 devel optional dbus_1.2.24-4+squeeze2.dsc
 7bb2156d28f38454813c32bf48c98557 37961 devel optional dbus_1.2.24-4+squeeze2.debian.tar.gz
 1754df1871da923df3f85ec308213901 1837900 doc optional dbus-1-doc_1.2.24-4+squeeze2_all.deb
 bfd457341ce560037613cfd493de300d 213666 devel optional dbus_1.2.24-4+squeeze2_i386.deb
 8d287c2ff8e57960fb4f2af337616789 42564 x11 optional dbus-x11_1.2.24-4+squeeze2_i386.deb
 762242a9e0f39aaf41e0b5bf66c0b99c 130512 libs optional libdbus-1-3_1.2.24-4+squeeze2_i386.deb
 230538d9a0d7c304c6a7b62720790a9c 221096 libdevel optional libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
 e6d06ad29e9d581c80b4b615595c4349 770860 debug extra dbus-1-dbg_1.2.24-4+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUPHKrk3o/ypjx8yQAQj6hRAAlk+smNsRE6y6j9AynXNX3eyv8B0E7f+v
Wpqyr2i2nRZ3aRpGRsJFva0zyW9yvATr10es9hNMdTCyE+k53el8KYVb4xlwF+KL
o5SZgXPjUzfnjeSlD0LM+me5axp+2nVhUQweDSF2K9/3OMdbitTJAFb8POpd0hRL
Wmm8TQUzBtfewyMS0YFHFouUcBSXO7T9tkefNEoMjmqePRNa79kkXYp8wgivdD7h
eZ3XUI9VPi1o4t6759H8ddxYHMQ5VKskfrPSPaQr5jcfLQ1aBfLVYyy0pLW1rATB
R3VZwAXQt6ohhHLHkLrRrlyK6jOSGTTPRm5vXEflsyVutM11w3TVUws8Tkyu2ajr
/vOzm8l9BN6667exRYTxcV46aow5bA/+LoXz7gjbYUzZCqY+jd1gzM+BjRAo22dG
VMUcL1jBz9sY5n0OhKeueJq3vfB7p5wmbBRutJsh9O5O2/H2XDY0I464yIwpaEdy
eDVa+Xgysh8hHy5GBItwed7N6rK2FHNKaFMctAbpGxBOfd0xadu3xzNpvrBvaUPa
3A8b1/aFSQjkifW7zCRJwerES+9Z4rbzPKv1RZTdACqcGXQWAJIEn1WnsvvFS9tM
egA/qhwvpZYkZYKPvO6nwpbXnLJv87xFmRhXzMaZyDP1uT8nTc8X+UltQYA2MHcc
9OQdGsqaoYg=
=stEJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.