a2ps: CVE-2001-1593: insecure use of /tmp

Debian Bug report logs - #737385
a2ps: CVE-2001-1593: insecure use of /tmp

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: a2ps: insecure use of /tmp

Date: Sun, 2 Feb 2014 11:43:53 +0100

Package: a2ps
Version: 1:4.14-1.1
Severity: important
Tags: security

src/main.c contains this code:

   /* Use one of the temp file names so that cleanup can be correctly
      done. */
   tempname_ensure (job->tmp_filenames[0]);
   spyname = job->tmp_filenames[0];
   spy = fopen (spyname, "w");

tempname_ensure() is defined in lib/routines.h as:

  #define tempname_ensure(Str)				\
  do {							\
    (Str) = (Str) ? (Str) : tempnam (NULL, "a2_");	\
  } while (0)

From the tempnam(3) manpage: “Although tempnam() generates names that 
are difficult to guess, it is nevertheless possible that between the 
time that tempnam() returns a pathname, and the time that the program 
opens it, another program might create that pathname using open(2), or 
create it as a symbolic link. This can lead to security holes. To avoid 
such possibilities, use the open(2) O_EXCL flag to open the pathname. Or 
better yet, use mkstemp(3) or tmpfile(3).”

(There are other calls to tempname_ensure() in the a2ps code, but I 
haven't checked them.)

-- 
Jakub Wilk

Message #8 received at 737385@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 737385@bugs.debian.org

Subject: CVE request: a2ps insecure temporary file use

Date: Mon, 03 Feb 2014 17:12:48 +1100

Hello,

Jakub Wilk found that a2ps, a tool to convert text and other types of
files to PostScript, insecurely used a temporary file in spy_user(). A
local attacker could use this flaw to perform a symbolic link attack to
modify an arbitrary file accessible to the user running a2ps:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385

The original report notes there are calls to tempname_ensure(). If any
of those are found to be vulnerable, would they use the same CVE number,
or require a different one?

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385
https://bugzilla.redhat.com/show_bug.cgi?id=1060630

Thanks,

--
Murray McAllister / Red Hat Security Response Team

Message #13 received at 737385@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 737385@bugs.debian.org

Subject: Re: [oss-security] CVE request: a2ps insecure temporary file use

Date: Tue, 04 Feb 2014 02:50:00 +1100

On 02/03/2014 05:12 PM, Murray McAllister wrote:
> Hello,
>
> Jakub Wilk found that a2ps, a tool to convert text and other types of
> files to PostScript, insecurely used a temporary file in spy_user(). A
> local attacker could use this flaw to perform a symbolic link attack to
> modify an arbitrary file accessible to the user running a2ps:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385
>
> The original report notes there are calls to tempname_ensure(). If any
> of those are found to be vulnerable, would they use the same CVE number,
> or require a different one?
>
> References:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385
> https://bugzilla.redhat.com/show_bug.cgi?id=1060630
>
> Thanks,
>
> --
> Murray McAllister / Red Hat Security Response Team
>

Tim Waugh pointed out this was fixed in 2001:

https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5

And notes 
http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch 
is the patch.

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Message #18 received at 737385@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 737385@bugs.debian.org

Subject: Re: CVE request: a2ps insecure temporary file use

Date: Tue, 4 Feb 2014 09:40:36 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5
> 
> * Fri Jan 05 2001 Preston Brown <pbrown@redhat.com>
> - security patch for tmpfile creation from Olaf Kirch <okir@lst.de>
> 
> followed the next month by a fix to that patch:
> 
> * Mon Feb 12 2001 Tim Waugh <twaugh@redhat.com>
> - Fix tmpfile security patch so that it actually _works_ (bug #27155).

Does anyone have information indicating that two CVE-2001-#### IDs are
needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years
ago? This would be the case if, for example, there was a January 2001
a2ps package that fixed part of the problem with temporary files.
Admittedly, the practical value of two CVE-2001-#### IDs at present
may be extremely small.

The information does not seem to be in a2ps.git because data before
2004 is unavailable, e.g.,

  http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100

Also:

  https://bugzilla.redhat.com/show_bug.cgi?id=27155
  You are not authorized to access bug #27155.

If (as we would expect) nobody is interested in checking that, we will
assign one CVE-2001-#### ID.

Finally, the earlier abstraction question is no longer relevant
because Jakub Wilk is apparently not the original discoverer of any
part of the problem. Specifically, this question:

  The original report notes there are calls to tempname_ensure(). If any
  of those are found to be vulnerable, would they use the same CVE number,
  or require a different one?

would only apply to a situation in which the spyname problem was a new
discovery in 2014.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS8PuRAAoJEKllVAevmvmsavAH/35erOpFeVh4fjUXXGdlJBVN
XzXwdKV6e+joCBJ2hYQ8+os5c19zFNdYcoAz8ay4DKdD9wEHUUiDjZDAhG1rWmDW
ji3I8Bbi3aMmZwaKqJwv3GYWVAOr6QzTuvKJoPVl835jF7Od1FUWeEaMPPqZmI9s
mwPp4eC4CjlVz8ldCgZdU+tiUZojJjl5wFBn/lnYsdfLisJ5mCi1YScMt3p5zZVE
FkXNu5MhFLEtfeQF2BUe3HLsk/UtNEq8T0cMsaNdIbckkFGKxiNiRfK8QGBHGRIp
KuFEoEufFAT0BNRMvHix4MFbYT+a2SKuC5lbrRa7jbyMWh9meRxze/s9UePtEno=
=cx5F
-----END PGP SIGNATURE-----

Message #23 received at 737385@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: cve-assign@mitre.org, 737385@bugs.debian.org

Subject: Re: [oss-security] Re: CVE request: a2ps insecure temporary file use

Date: Wed, 05 Feb 2014 18:55:13 +1100

On 02/05/2014 01:40 AM, cve-assign@mitre.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5
>>
>> * Fri Jan 05 2001 Preston Brown <pbrown@redhat.com>
>> - security patch for tmpfile creation from Olaf Kirch <okir@lst.de>
>>
>> followed the next month by a fix to that patch:
>>
>> * Mon Feb 12 2001 Tim Waugh <twaugh@redhat.com>
>> - Fix tmpfile security patch so that it actually _works_ (bug #27155).
>
> Does anyone have information indicating that two CVE-2001-#### IDs are
> needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years
> ago? This would be the case if, for example, there was a January 2001
> a2ps package that fixed part of the problem with temporary files.
> Admittedly, the practical value of two CVE-2001-#### IDs at present
> may be extremely small.
>
> The information does not seem to be in a2ps.git because data before
> 2004 is unavailable, e.g.,
>
>    http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100
>
> Also:
>
>    https://bugzilla.redhat.com/show_bug.cgi?id=27155
>    You are not authorized to access bug #27155.
>
> If (as we would expect) nobody is interested in checking that, we will
> assign one CVE-2001-#### ID.

Hello,

I spent a little time looking but could not determine if a release was 
made to fix only part of the problem. So one ID is fine by us.

bug #27155 just contains some gdb output. Therefore I assumed it was 
public and didn't check before sending it here.

Thanks for looking at this.

--
Murray McAllister / Red Hat Security Response Team

Message #28 received at 737385@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 737385@bugs.debian.org

Subject: Re: CVE request: a2ps insecure temporary file use

Date: Wed, 5 Feb 2014 07:39:18 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5

>> * Mon Feb 12 2001 Tim Waugh <twaugh@redhat.com>
>> - Fix tmpfile security patch so that it actually _works_ (bug #27155).

>> And notes 
>> http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch 
>> is the patch.

> I spent a little time looking but could not determine if a release was 
> made to fix only part of the problem. So one ID is fine by us.

Use CVE-2001-1593.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS8jCQAAoJEKllVAevmvmsYOsH/ip2JAUT4e/oQ9/TjFuOtR7E
QbmXDrv18am2/MCQ8phfXIelF8CAByXdvbdj1KNwyTSxqTcs+6HZDNNsTt66wIsI
H6Yajsc3HPdAITKOvL6oiS1kl0d/Ndbk36+KBrCmwCqp09tHKIU3UoN5jiZXMQIr
A3RaQ6/MdWyd9QQ9MsgwclLwvkzBzlbgc76N/TCaIv/hEf+gKkeOF6S+el1pJdQ4
XTZ9FDlaRv6kRUO+fePLCU0CANmZj5vJNDA1JicElUly/lFTpTxB8ZB/1JAyeEC9
eD8KQ7RjUrUiwXKDTbm33ekGLPY6wpNfSEtM9e7N26omhnCeENwxMU2ePoVA7ws=
=LDwH
-----END PGP SIGNATURE-----

Message #35 received at 737385-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 737385-close@bugs.debian.org

Subject: Bug#737385: fixed in a2ps 1:4.14-1.2

Date: Thu, 27 Mar 2014 15:33:59 +0000

Source: a2ps
Source-Version: 1:4.14-1.2

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Mar 2014 14:25:04 +0100
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.2
Distribution: unstable
Urgency: medium
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 608647 669642 682717 737385
Changes: 
 a2ps (1:4.14-1.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Build-depend on emacs24 instead of emacs23. Closes: #682717.
   * Use dpkg-buildflags.
   * Build using autotools-dev.
   * CVE-2001-1593. Fix insecure use of /tmp. Closes: #737385.
   * Fix typo in package description. Closes: #608647.
   * Avoid a bad free in the encoding handling logic (taken from Fedora).
   * Fix build errors with -Wformat=security.
   * Fix texi build error.
   * Stop using dpatch, convert to packaging format 3.0. Closes: #669642.
   * Bump standards version to 3.9.5.
Checksums-Sha1: 
 57ddf04858430bc5af4c617f7ef80ee8543495ab 1196 a2ps_4.14-1.2.dsc
 c80518d8d44ca66cee181bb6562bbaf91440c448 26168 a2ps_4.14-1.2.debian.tar.xz
 935669b3447d8a3a76bec70c4765a0db496e8c4a 632684 a2ps_4.14-1.2_amd64.deb
Checksums-Sha256: 
 b9a42e7ea42bbd259359175224bbd1396604da909317d1d183537dadbe63114a 1196 a2ps_4.14-1.2.dsc
 592aa843a9f3029ffc5586ee9f0165d28ba34e9c8b4150efe5e50459b13d7fa0 26168 a2ps_4.14-1.2.debian.tar.xz
 b007d8228229481fc40ca616129771f16ce9ddb51eddc85035ef1d8069b78d68 632684 a2ps_4.14-1.2_amd64.deb
Files: 
 768ea8af87f31e8c8115792c11a78d7b 1196 text optional a2ps_4.14-1.2.dsc
 89aa45f413c1d8f9f880591656fdcb9d 26168 text optional a2ps_4.14-1.2.debian.tar.xz
 62d22bb901bdecd135f70bfd9073dad2 632684 text optional a2ps_4.14-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlM0NVcACgkQStlRaw+TLJyeYQCgl/xWpdoYOj78YdifKJgscZS3
vmcAn2Y4ZwKIaWHkGJnDQ1H01ysdY7pd
=DnZl
-----END PGP SIGNATURE-----

Message #40 received at 737385-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 737385-close@bugs.debian.org

Subject: Bug#737385: fixed in a2ps 1:4.14-1.1+deb7u1

Date: Tue, 01 Apr 2014 21:17:06 +0000

Source: a2ps
Source-Version: 1:4.14-1.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Mar 2014 12:43:56 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes: 
 a2ps (1:4.14-1.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 09_CVE-2001-1593.dpatch patch.
     CVE-2011-1593: Fix insecure use of /tmp
     Thanks to Jakub Wilk <jwilk@debian.org> (Closes: #737385)
   * Add 10_CVE-2014-0466.dpatch patch.
     CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
     PostScript file could delete files with the privileges of the invoking
     user.
     Thanks to brian m. carlson <sandals@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1: 
 51a294add4a723aff8d3dd7fb0526cd707995ff1 1846 a2ps_4.14-1.1+deb7u1.dsc
 365abbbe4b7128bf70dad16d06e23c5701874852 2552507 a2ps_4.14.orig.tar.gz
 7c84421d97e746c242358b0410a5d44912fff690 30059 a2ps_4.14-1.1+deb7u1.diff.gz
 54ec39ed0ea16591d16b0ec4a82b13654b1c75fd 956298 a2ps_4.14-1.1+deb7u1_amd64.deb
Checksums-Sha256: 
 d9c245a2c56378f75842842e1e53c00a5d53ebcd5dad0bb0b15ce3055ad5b3a6 1846 a2ps_4.14-1.1+deb7u1.dsc
 f3ae8d3d4564a41b6e2a21f237d2f2b104f48108591e8b83497500182a3ab3a4 2552507 a2ps_4.14.orig.tar.gz
 d3e42c0a9abd326d86881be9e4693cf970cfd59a808838a79ba2105a792e8363 30059 a2ps_4.14-1.1+deb7u1.diff.gz
 e47d7fe9adb7aa62421108debf425830f4e2385e98151c5cb359d3eb8688eea8 956298 a2ps_4.14-1.1+deb7u1_amd64.deb
Files: 
 a7aa5a7ad06420950b945a0bca42a8bd 1846 text optional a2ps_4.14-1.1+deb7u1.dsc
 781ac3d9b213fa3e1ed0d79f986dc8c7 2552507 text optional a2ps_4.14.orig.tar.gz
 fc4b04279150786111ecd7c159f52af5 30059 text optional a2ps_4.14-1.1+deb7u1.diff.gz
 b557a599dafd687611119264203ef2aa 956298 text optional a2ps_4.14-1.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTOEHNAAoJEAVMuPMTQ89EQ1oP/A6lL3Qo3RQ/On+EZBf+Mr/J
zKVK1+5kODEi1buYttVE10iBZgPnx3JZmfnSJYphLwsSb0nzys31Vp0IpaNQcLuy
7JxQaISNk4rc7KbhjC2j2ClrFJ1UltxipyRVYkApnP7UaNrIQb3TXqRVfWkYxCMB
N/CFVhmEZzFeVlnscaEbu2aRAiW93ipD7giH2PTkBjKVFziGMIQOSVVnRUmmPLlw
U3p1hhp350CpRQdKnmqThnhckqG/IayGbRr0yOTeg9v1/7ZIi5Nn3gqKlQ5GmTcp
OcM3hH/0g8LUxiGiwzsrPrIsAULWJHHO4vQ3TFGNyYRsdpRNU6D+X7Acw1mqNUi7
hyQ9X/JQTO+G3+BAhZKR02ll4GJIBNobeWiCu5wBUWiukQGEnMPV24UyRlteCU+2
X934YWFo3Tia3sKJq323VU1E5DAZJMm5jsn1UMuOfpWew1ptOc1ri5L7YCOMBmzw
wN2QmkvGScj/x/E0zNCpSmPv3uVa9MUPa9RfplnPJmVcLtTZjv8kqXL+VF6PGZCO
B6OB21wNGsQhmmHfp6Mlaq5EiKXkPKR7zLik1uvm1mpIMycfDTUTVJct9Er2NswA
QRiLGufqHtXrRL+qrJ+CDkGrvUJVBSRa5YNXg8a2fveq7nCtoRAJotB1em2WsYjg
xyF0gv1N6dw6gbCySXon
=abrz
-----END PGP SIGNATURE-----

Message #45 received at 737385-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 737385-close@bugs.debian.org

Subject: Bug#737385: fixed in a2ps 1:4.14-1.1+deb6u1

Date: Tue, 01 Apr 2014 21:17:59 +0000

Source: a2ps
Source-Version: 1:4.14-1.1+deb6u1

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Mar 2014 18:14:06 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes: 
 a2ps (1:4.14-1.1+deb6u1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 09_CVE-2001-1593.dpatch patch.
     CVE-2011-1593: Fix insecure use of /tmp
     Thanks to Jakub Wilk <jwilk@debian.org> (Closes: #737385)
   * Add 10_CVE-2014-0466.dpatch patch.
     CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
     PostScript file could delete files with the privileges of the invoking
     user.
     Thanks to brian m. carlson <sandals@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1: 
 3a1f0f57f47b67682d403a3014381d78edfc4eb9 1807 a2ps_4.14-1.1+deb6u1.dsc
 0db14668fe17c04672a7df818106d8faa3dbdcbc 30454 a2ps_4.14-1.1+deb6u1.diff.gz
 b860924feffd922c9751930f0321d03784765c0f 955130 a2ps_4.14-1.1+deb6u1_amd64.deb
Checksums-Sha256: 
 7e72e708e7b688d63d5c0b99b93793ad5f10f0ea30fbacd906fb187b09867dbd 1807 a2ps_4.14-1.1+deb6u1.dsc
 9030794fbf3e926ad523929af3a5d13bd71c3aeea1f83c5760d2782130adb1d1 30454 a2ps_4.14-1.1+deb6u1.diff.gz
 1f080767d758d6693034e8c8a0f0dd4ac12e357ff0281a64707e34aff07e544b 955130 a2ps_4.14-1.1+deb6u1_amd64.deb
Files: 
 8600d0862387e87074cc8f2738c3a6fe 1807 text optional a2ps_4.14-1.1+deb6u1.dsc
 5a06d4d72c9a82b52f51396c4a258fef 30454 text optional a2ps_4.14-1.1+deb6u1.diff.gz
 aaae4242cdd5ae3d5c2904efc210e0d3 955130 text optional a2ps_4.14-1.1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTOEV9AAoJEAVMuPMTQ89E4xcQAIWnQUskiILVtE5jIRloyq1e
Ng9FouyBs/0ur075b7k34eQuDtrFFE8XtOTKlPboOZdrk3Sq8Bm/Q6V4vbKmFqfj
NReU2uoQxkITO3ZYlrJXHLNx0LRsMwBU+ryDhLmH9U8Raxnlmjks36068CzLYfAg
V1ZrTXxrhfYKpxmva2DmXp3euN3pkaBYSyuXRzzIhwAUmL2HnhDFOAck0VEk3vkB
siZJdye970MPS44jfAt/2P3pnpHJoDYRvU5uLZo0BZIKWV4mOsJ3WGT6acifAZ72
O+sBrqJjIqnLsukPSCQOV484hZCwO3wvbs9qdj5LxF2bhxlLehhphDY6ltOJav/g
3CpPU1ngl6qzccT84V7a1iIEjdqRIE6uF7OmUbixgF6xjIu2yka7bb37PlAVdmk+
gJewZzp3fzRElinUZW01N7W7HUPCewO+59HkxjJz7+99hCTdLgySZYUzGY918lRT
/gkccLp1Z+LwtY6Zpo5vc192NtcGZ3L7foYRJky2kHq6It3KEJpLbrFP3N/sADR8
+rWeyoOHQpOecKaPfo+PgtmqP1++qdpE7SQcB3JskpWN117viZzaBLhtmDWC5tB6
i+bIXYNpm4ucSNggmGJ6h7rZFXgEKGVl8Es2L5RaQNPuyL24ekbLY7/jBk0lbWf9
kWjEN4k3Gs9nTh/79MO3
=EewD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.