CVE-2017-10791 CVE-2017-10792

Debian Bug report logs - #866890
CVE-2017-10791 CVE-2017-10792

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2017-10791 CVE-2017-10792

Date: Sun, 02 Jul 2017 16:53:59 +0200

Package: pspp
Severity: important
Tags: security

This has been assigned CVE-2017-10791:
https://bugzilla.redhat.com/show_bug.cgi?id=1467004

This has been assigned CVE-2017-10792:
https://bugzilla.redhat.com/show_bug.cgi?id=1467005

Cheers,
        Moritz

Message #14 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Friedrich Beckmann <friedrich.beckmann@gmx.de>

To: ganshuitao@gmail.com, chaoz@tsinghua.edu.cn

Cc: 866890@bugs.debian.org, debian-lts@lists.debian.org, pspp-dev@gnu.org, jmm@debian.org

Subject: pspp - cve-2017-10791 - cve-2017-10792

Date: Mon, 3 Jul 2017 07:22:57 +0200

Dear owl337 team,

thanks for looking at pspp and finding the security problems

https://security-tracker.debian.org/tracker/CVE-2017-10791

and

https://security-tracker.debian.org/tracker/CVE-2017-10792

in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
you have some information about collAFL?

Regards

Friedrich

Message #19 received at 866890@bugs.debian.org (full text, mbox, reply):

From: John Darrington <john@darrington.wattle.id.au>

To: Friedrich Beckmann <friedrich.beckmann@gmx.de>

Cc: ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org, 866890@bugs.debian.org

Subject: Re: pspp - cve-2017-10791 - cve-2017-10792

Date: Mon, 3 Jul 2017 20:50:56 +0200

[Message part 1 (text/plain, inline)]

I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him comment on
that.

J'

On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
     Dear owl337 team,
     
     thanks for looking at pspp and finding the security problems
     
     https://security-tracker.debian.org/tracker/CVE-2017-10791
     
     and
     
     https://security-tracker.debian.org/tracker/CVE-2017-10792
     
     in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
     you have some information about collAFL?
     
     Regards
     
     Friedrich
     
     
     
     _______________________________________________
     pspp-dev mailing list
     pspp-dev@gnu.org
     https://lists.gnu.org/mailman/listinfo/pspp-dev

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Friedrich Beckmann <friedrich.beckmann@gmx.de>

To: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org

Cc: ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

Date: Mon, 3 Jul 2017 23:37:30 +0200

[Message part 1 (text/plain, inline)]

Hi John,

today I looked a little bit at the hash function. I think the problem is that compared to
the referenced code the x parameter is type int instead of unsigned int. Googling around the
overflow behavior of signed and the shift right of signed is not defined in the c standard
although „many?" implementations assume 2th complement signed implementation. Both is well
defined for unsigned int operations.

I changed the parameter type from int to unsigned int and I cannot see a problem in the regression.

But looking at the code I wondered if this hash function also works on 64 Bit architectures. The
reference only talks about uint32_t.

Regards

Friedrich


> Am 03.07.2017 um 20:50 schrieb John Darrington <john@darrington.wattle.id.au>:
> 
> I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him comment on
> that.
> 
> J'
> 
> On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
>     Dear owl337 team,
> 
>     thanks for looking at pspp and finding the security problems
> 
>     https://security-tracker.debian.org/tracker/CVE-2017-10791
> 
>     and
> 
>     https://security-tracker.debian.org/tracker/CVE-2017-10792
> 
>     in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
>     you have some information about collAFL?
> 
>     Regards
> 
>     Friedrich
> 
> 

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Chao Zhang <chaoz@tsinghua.edu.cn>

To: Friedrich Beckmann <friedrich.beckmann@gmx.de>, ganshuitao@gmail.com

Cc: 866890@bugs.debian.org, debian-lts@lists.debian.org, pspp-dev@gnu.org, jmm@debian.org

Subject: Re: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 07:06:23 +0800

Dear Friedrich,

We are using smart fuzzing to test open source applications, including 
pspp. Our tool collAFL is an enhanced version of AFL.

The core of AFL is an genetic algorithm to automatically discover 
interesting test cases that trigger new internal states in the targeted 
application, which leads to a high code coverage. Our tool collAFL's 
improvement over AFL is that, it reduces some collisions in AFL's 
algorithm, and increases the code coverage of AFL.

The evaluation result is good so far. We found dozens of vulnerabilities 
in open source applications using collAFL. We are writing a paper about 
it. More details will be discussed in the paper. Once the paper is 
ready, we can share a copy with you, if you are interested.

Thanks,
Chao


On 7/3/17 1:22 PM, Friedrich Beckmann wrote:
> Dear owl337 team,
>
> thanks for looking at pspp and finding the security problems
>
> https://security-tracker.debian.org/tracker/CVE-2017-10791
>
> and
>
> https://security-tracker.debian.org/tracker/CVE-2017-10792
>
> in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
> you have some information about collAFL?
>
> Regards
>
> Friedrich
>
>

Message #34 received at 866890@bugs.debian.org (full text, mbox, reply):

From: John Darrington <john@darrington.wattle.id.au>

To: Friedrich Beckmann <friedrich.beckmann@gmx.de>

Cc: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org, ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 07:10:31 +0200

[Message part 1 (text/plain, inline)]

On Mon, Jul 03, 2017 at 11:37:30PM +0200, Friedrich Beckmann wrote:
     Hi John,
     
     today I looked a little bit at the hash function. I think the problem is that compared to
     the referenced code the x parameter is type int instead of unsigned int. Googling around the
     overflow behavior of signed and the shift right of signed is not defined in the c standard
     although ???many?" implementations assume 2th complement signed implementation. Both is well
     defined for unsigned int operations.
     
Ahh.  Perhaps you're right.  But I cannot see that this would cause a crash, so I suspect that's
another problem.

     I changed the parameter type from int to unsigned int and I cannot see a problem in the regression.

What problems did you encounter before your change (if any)?

     But looking at the code I wondered if this hash function also works on 64 Bit architectures. The
     reference only talks about uint32_t.

I cannot see that it wouldn't "work".  But it might not create such an efficient hash.

Anyway maybe Ben will be able to have a look soon.
     

J'
     
     
-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Friedrich Beckmann <friedrich.beckmann@gmx.de>

To: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org

Cc: ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 07:38:05 +0200

[Message part 1 (text/plain, inline)]

Hi John,


> Am 04.07.2017 um 07:10 schrieb John Darrington <john@darrington.wattle.id.au>:
> 
> On Mon, Jul 03, 2017 at 11:37:30PM +0200, Friedrich Beckmann wrote:
>     Hi John,
> 
>     today I looked a little bit at the hash function. I think the problem is that compared to
>     the referenced code the x parameter is type int instead of unsigned int. Googling around the
>     overflow behavior of signed and the shift right of signed is not defined in the c standard
>     although ???many?" implementations assume 2th complement signed implementation. Both is well
>     defined for unsigned int operations.
> 
> Ahh.  Perhaps you're right.  But I cannot see that this would cause a crash, so I suspect that's
> another problem.

They compiled with a compiler switch -fsanitized=undefined. I assume that this produces the crash.

>     I changed the parameter type from int to unsigned int and I cannot see a problem in the regression.
> 
> What problems did you encounter before your change (if any)?

I encountered no problems. At first I assumed that they use some form of static code analysis. Then I tried
to run our regression with the above mentioned switch but on MacOS I encountered some compile problems.

In my view the behavior in our code might produce a bad hash as it deviates from the original code as the right
shift is different for int and unsigned int. But I cannot see how this produces a security vulnerability.

Friedrich

[signature.asc (application/pgp-signature, attachment)]

Message #44 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Ben Pfaff <blp@cs.stanford.edu>

To: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org

Cc: Friedrich Beckmann <friedrich.beckmann@gmx.de>, ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 09:27:14 -0400

The attribution of the problem to the hash function is probably wrong,
since that function is purely combinatorial logic, but the report as a
whole is right because the attachment in the bug report at
https://bugzilla.redhat.com/show_bug.cgi?id=1467004 does cause
pspp-convert to assert-fail.

I'm looking into it.

On Mon, Jul 03, 2017 at 08:50:56PM +0200, John Darrington wrote:
> I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him comment on
> that.
> 
> J'
> 
> On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
>      Dear owl337 team,
>      
>      thanks for looking at pspp and finding the security problems
>      
>      https://security-tracker.debian.org/tracker/CVE-2017-10791
>      
>      and
>      
>      https://security-tracker.debian.org/tracker/CVE-2017-10792
>      
>      in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
>      you have some information about collAFL?
>      
>      Regards
>      
>      Friedrich
>      
>      
>      
>      _______________________________________________
>      pspp-dev mailing list
>      pspp-dev@gnu.org
>      https://lists.gnu.org/mailman/listinfo/pspp-dev
> 
> -- 
> Avoid eavesdropping.  Send strong encrypted email.
> PGP Public key ID: 1024D/2DE827B3 
> fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
> See http://sks-keyservers.net or any PGP keyserver for public key.
> 

Message #49 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Friedrich Beckmann <friedrich.beckmann@gmx.de>

To: Ben Pfaff <blp@cs.stanford.edu>

Cc: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org, ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 17:52:05 +0200

Hi Ben,

my understanding is that they bring up two different problems.

For

https://bugzilla.redhat.com/show_bug.cgi?id=1467004 (Hash Function)

the argument is that shift operations and overflows are undefined or
implementation dependent for signed integers as used in the hash function.

https://www.securecoding.cert.org/confluence/display/c/INT13-C.+Use+bitwise+operators+only+on+unsigned+operands

Shifting a negative number is „bad“ by that definition and that is what they checked.

But when looking at the code, isn’t there a problem when a pointer is cast to integer
on 64 Bit platforms because the pointer is 64 Bit and the integer is 32 Bit in hash_pointer? Wouldn’t we
want to have a hash based on the 64 Bit as for hash_double?

For https://bugzilla.redhat.com/show_bug.cgi?id=1467005 (crash on csv conversion)

they managed to generate a file which results in a crash when analyzed. Although pspp
stills gives an error message that something is wrong in the file… 

Friedrich


> Am 04.07.2017 um 15:27 schrieb Ben Pfaff <blp@cs.stanford.edu>:
> 
> The attribution of the problem to the hash function is probably wrong,
> since that function is purely combinatorial logic, but the report as a
> whole is right because the attachment in the bug report at
> https://bugzilla.redhat.com/show_bug.cgi?id=1467004 does cause
> pspp-convert to assert-fail.
> 
> I'm looking into it.
> 
> On Mon, Jul 03, 2017 at 08:50:56PM +0200, John Darrington wrote:
>> I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him comment on
>> that.
>> 
>> J'
>> 
>> On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
>>     Dear owl337 team,
>> 
>>     thanks for looking at pspp and finding the security problems
>> 
>>     https://security-tracker.debian.org/tracker/CVE-2017-10791
>> 
>>     and
>> 
>>     https://security-tracker.debian.org/tracker/CVE-2017-10792
>> 
>>     in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
>>     you have some information about collAFL?
>> 
>>     Regards
>> 
>>     Friedrich
>> 
>> 
>> 
>>     _______________________________________________
>>     pspp-dev mailing list
>>     pspp-dev@gnu.org
>>     https://lists.gnu.org/mailman/listinfo/pspp-dev
>> 
>> -- 
>> Avoid eavesdropping.  Send strong encrypted email.
>> PGP Public key ID: 1024D/2DE827B3 
>> fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
>> See http://sks-keyservers.net or any PGP keyserver for public key.
>> 
> 
> 

Message #54 received at 866890@bugs.debian.org (full text, mbox, reply):

From: Ben Pfaff <blp@cs.stanford.edu>

To: Friedrich Beckmann <friedrich.beckmann@gmx.de>

Cc: ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org, 866890@bugs.debian.org

Subject: Re: pspp - cve-2017-10791 - cve-2017-10792

Date: Tue, 4 Jul 2017 13:14:13 -0400

I applied fixes for both of these bugs to the PSPP repository, as the
following commits.  The fixes will be in the next PSPP release.

commit 41c6f5447941e5d36d0554ba874671649353752f
Author: Ben Pfaff <blp@cs.stanford.edu>
Date:   Tue Jul 4 12:58:55 2017 -0400

    sys-file-reader: Fix integer overflows in parse_long_string_missing_values().
    
    Crafted system files caused integer overflow errors that in turn caused
    aborts.  This fixes the problem.
    
    CVE-2017-10791.
    See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004.
    See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
    See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
    Found by team OWL337, using the collAFL fuzzer.

commit bf03b53a3c0f0d1066062f37919015a8fa6ad436
Author: Ben Pfaff <blp@cs.stanford.edu>
Date:   Tue Jul 4 12:54:47 2017 -0400

    sys-file-reader: Avoid null dereference skipping bad extension record 18.
    
    read_record() assumed that read_extension_record() never set its output
    argument to NULL when it returned true, but this is possible in an error
    case.
    
    CVE-2017-10792.
    See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005.
    See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
    See also https://security-tracker.debian.org/tracker/CVE-2017-10792.
    Reported by team OWL337, with fuzzer collAFL.

Message #59 received at 866890-close@bugs.debian.org (full text, mbox, reply):

From: Friedrich Beckmann <friedrich.beckmann@gmx.de>

To: 866890-close@bugs.debian.org

Subject: Bug#866890: fixed in pspp 1.0.0-1

Date: Mon, 21 Aug 2017 06:36:40 +0000

Source: pspp
Source-Version: 1.0.0-1

We believe that the bug you reported is fixed in the latest version of
pspp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Friedrich Beckmann <friedrich.beckmann@gmx.de> (supplier of updated pspp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 13 Aug 2017 08:50:21 +0200
Source: pspp
Binary: pspp
Architecture: source i386
Version: 1.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Friedrich Beckmann <friedrich.beckmann@gmx.de>
Changed-By: Friedrich Beckmann <friedrich.beckmann@gmx.de>
Description:
 pspp       - Statistical analysis tool
Closes: 853623 866890
Changes:
 pspp (1.0.0-1) unstable; urgency=low
 .
   * New upstream release 1.0.0
   * The REGRESSION command now has a /ORIGIN subcommand to perform
     regression through the origin.
   * The FACTOR command can now analyse matrix files prepared with MATRIX DATA.
   * The FACTOR command can now print the anti-image matrices.
   * The MATRIX DATA command has been added.
   * Some inappropriate properties in selection dialogs have been corrected.
   * A bug which could cause the HTML driver to go into a tight loop
     has been fixed.
   * An error in the FREQUENCIES procedure, where the word "Mean" was
     printed when "Variance" was appropriate has been fixed.
   * The ncurses library is no longer required or used.
   * A bug where the Mann-Whitney test would give misleading results
     if run on multiple variables and MISSING=ANALAYSIS was specified
     has been fixed.
   * Gtk+3.14.5 or later must now be used when building.
   * Graphical user interface changes:
      ** There is a new menu: Edit|Options
      ** The Non Parametric Statistics Menu
         has a new item: "K Independent Samples".
      ** Dialog boxes can now be canceled using the <Escape> key.
   * The AUTORECODE command now accepts an optional / before INTO.
   * The short form of the VECTOR command can now create string variables.
   * Bug fixes, including fixes for CVE-2017-10791 and CVE-2017-10792.
     Closes: #866890
   * Updated gnulib version which can be compiled with GCC7
     Closes: #853623
Checksums-Sha1:
 8844ff4782e845f585d2e6d2a3688641e2ad0a4e 2099 pspp_1.0.0-1.dsc
 268a241e1a272585dc41a575816e21d423a46631 7553661 pspp_1.0.0.orig.tar.gz
 0a4d81d4d5b83b611a05408eefb358a8d87e68a6 26724 pspp_1.0.0-1.debian.tar.xz
 b199252ff760ddf75187c9ecd59e78380860ff45 2992064 pspp-dbgsym_1.0.0-1_i386.deb
 7f0460d741f68de1ab4d7aea2bb3b67c2c5bd4f3 14085 pspp_1.0.0-1_i386.buildinfo
 7d64a3f72317ade9569bc870cd87d46b1e835d79 4249544 pspp_1.0.0-1_i386.deb
Checksums-Sha256:
 0e4942fe15e9723331e9f12028bbf070d6bb835e391a4dfbe41b8e1e776cbf33 2099 pspp_1.0.0-1.dsc
 1b991ad4f5b2adc8c972de48fdb01d3675cb5ae1fc8d28850f6c0c68a745cb83 7553661 pspp_1.0.0.orig.tar.gz
 183223e41d0a9612c23d6c7d823eeba0a1ab671307814fe7f5d1ec698556a875 26724 pspp_1.0.0-1.debian.tar.xz
 0c2875c7227b0fe0f7c228edec6c65fc6e5143307b5a9114eb101b18fa0f83e4 2992064 pspp-dbgsym_1.0.0-1_i386.deb
 606d3ee450c45e9bff253fbbbc0921bb84457273e7d7371a4444859a9707eba2 14085 pspp_1.0.0-1_i386.buildinfo
 1aa7a1b5e3bfec39d812a716a11cae4a7d2e6941338d19ff5739dafd5ce13565 4249544 pspp_1.0.0-1_i386.deb
Files:
 c00f4f562218372e44bc8b27eb17faac 2099 math optional pspp_1.0.0-1.dsc
 8c34cb0a3c8a08c92595c647d42a0a85 7553661 math optional pspp_1.0.0.orig.tar.gz
 e4b28f05401868b22230682aebe68cc1 26724 math optional pspp_1.0.0-1.debian.tar.xz
 7034cd8de4f3f7a602e159beafd30ee3 2992064 debug extra pspp-dbgsym_1.0.0-1_i386.deb
 e485e8072e821079e77403d165478506 14085 math optional pspp_1.0.0-1_i386.buildinfo
 cb41db0ee4b4127329afda10962dfc27 4249544 math optional pspp_1.0.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZmnmAAAoJEIUZnejGZI6QVxIP/0YozC1j+A66yAUKq5p9Nwdn
6SBzM3zeTGlkyLNrUBBktU6dkI1JHb0Y6dE5QzT9Zt2FBi4PM5IsAho3SpwOrT2P
WJl/5rx3dKjminQxnqUOScAvaQPPDSj686ZJmeReAunuhSIIcQRTWnDHIesTVgPw
3ppcOwlioU8BvYAaqE2MYZrMqNrrTLj0q5lbpyisCdOVTAMZMqx74JvACAG8Ew5b
buCEcn1kiHJQsdhE9iGOQkljRTgQpDt/LL29KOIL3hgBDSIWc1DKwLzbNR1Oz47G
eIVZ726ytStQCau1ofjIjuUtgBwd7x7uyaXrIh+63LV3r/mP0Qa81KD2BqoonDZu
yI/qkGpSQsUKOZU8FlmG2IXepNXLNhGfiIo6uy5R5nqdFIlJ4DpNAM+qFU2rvh4V
xaVHV4LVXkf7adB4gXT13XgcRFphMSeXV5SRiPO51M5UHhGXFQ10dT5QAMQYUKPY
+y7mz7atABJykxCowqoyHP/WV4Xkv6dACAjMDmRCwNXWK3t6Igr4SxrCk60hy6v8
MoDpnBKgJj+nIosx/PWXt/4tH/1PU1bXNq9tFogPt09k/av2LR6RRkmjtgpTDlLl
X9oGo/zfD8mATm2yzPlmiRSIxLg7ZOyBlZseD1raZa0QMgD/2wmmaGk1E7WZ9+jR
IFDsmcPmlaPw39J7wcPw
=sUhJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.