flatpak: CVE-2017-9780: Flatpak security issue

Debian Bug report logs - #865413
flatpak: CVE-2017-9780: Flatpak security issue

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 09:46:21 +0100

Package: flatpak
Version: 0.8.5-2
Severity: critical
Tags: security fixed-upstream
Forwarded: https://github.com/flatpak/flatpak/issues/845
Justification: potentially (in worst case) root security hole

The Flatpak developers recently released version 0.8.7 fixing a security
issue. A third-party app repository could include malicious apps that
contain files with inappropriate permissions, for example setuid or
world-writable. Older Flatpak versions would deploy the files with those
permissions, which would let a local attacker run the setuid executable
or write to the world-writable location.

In the case of the "system helper", files deployed as part of the app
are owned by root, so in the worst case they could be setuid root.

Mitigations:
* If you are running apps from a third party already, then there is
  already a trust relationship (the app is sandboxed, but the sandbox
  is not very strict in practice, and the third-party vendor chooses
  what permissions the app will have)
* The default polkit policies will not allow apps to be installed
  system-wide unless a privileged (root-equivalent) user has added
  the third-party app repository, which indicates that the privileged
  user trusts the operator of that repository
* The attacker exploiting the wrong permissions needs to be local

It seems that upstream consider this to be a minor security issue due
to those mitigations.

For the buster and sid suites, this will be fixed in 0.8.7-1 shortly.

For the experimental suite, this will be fixed in 0.9.6-1. That will
take a bit longer because it needs a newer version of libostree.

Security team: do you want a backport/DSA for stretch-security, or do
you consider the mitigations to be sufficient to fix this through
a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
stable update, but 0.8.6 contains unrelated bug fixes that I realise
you won't necessarily want in stretch-security (proposed-update tracked
at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).

For a stretch-security backport with just this fix, I could optionally
also include these security-hardening-related commits from 0.8.6:
https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de
https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37
Please let me know whether you would prefer those included or excluded.

    S

Message #12 received at 865413-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 865413-close@bugs.debian.org

Subject: Bug#865413: fixed in flatpak 0.8.7-1

Date: Wed, 21 Jun 2017 09:34:34 +0000

Source: flatpak
Source-Version: 0.8.7-1

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jun 2017 09:50:09 +0100
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 865413
Description: 
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak0 - Application deployment framework for desktop apps (library)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak-doc - Application deployment framework for desktop apps (documentation)
Changes:
 flatpak (0.8.7-1) unstable; urgency=high
 .
   * New upstream stable release
     - Security: prevent deploying files with inappropriate permissions
       (world-writable, setuid, etc.) (Closes: #865413)
     - Security: make ~/.local/share/flatpak private to user to defend
       against app vendors that might have released files with
       inappropriate permissions in the past
     - If an error occurs during pull, do not double-set an error,
       which is considered to be invalid
     - Increase some arbitrary timeouts in a test to make it more
       reliable
Checksums-Sha1: 
 3b68cc99e87c5640df92d707d0c52a45c410c7f9 3022 flatpak_0.8.7-1.dsc
 de76311784f7561d851c0086699a6fa64563130e 751020 flatpak_0.8.7.orig.tar.xz
 bd2b51f5d18f16e5c91b93ac453149f78a0fde63 17316 flatpak_0.8.7-1.debian.tar.xz
Checksums-Sha256: 
 e9d20591ff4315d219853989906072599e0fe3d2bc2cf315df8a86b22571e6a7 3022 flatpak_0.8.7-1.dsc
 ddd2b1d5b291b55a12bee1ef802d2e36ca7c830e2164d38996fa62460196f311 751020 flatpak_0.8.7.orig.tar.xz
 69e28c35cf07a2f3ed23c35eb8bb672adcd63e83e7ad188b9894b3aa4eebe692 17316 flatpak_0.8.7-1.debian.tar.xz
Files: 
 8bffb71a0a2c97bc1572d8feaf6258d7 3022 admin optional flatpak_0.8.7-1.dsc
 b399c93dcd1602750f0c78219b256dd5 751020 admin optional flatpak_0.8.7.orig.tar.xz
 9bd3d577dc8a59a74853028dcbeb1c4b 17316 admin optional flatpak_0.8.7-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKOSIACgkQTej/KmPH
zJAwlQ/+KQ5EPT6DVsVZAC1+7FgbLHlCxKv+im5YB5iLIgzMkQxB+yhT71c1LrGH
yP+7zNxNgrebCokha/xmaN3laI7PjF6I9hpgcED5aN6+mkOEyVr0+dX20UzwEUtl
yLQ+j1g39EzrqDIIQZKG9bYN3MPSWNT4koUoRVH7Tvt91SzQzfcR/1Q+BI/QIs2c
YtQ4CT6h4lHswZ8Lgg9PRtl2XxE5jZmwDFPtNNymA8KpXJQFNUbul0RZwuXAP1NV
p60uPe7SihboztS9S41tUsIaBmREWeppFMmGHfTCOM4LNMCV4VBFaLss76v7vPaq
c27R929/v2DSVVcbzZnS9ZvmM7niWB1UG7HVcOYi3bODSFxkrLAesFbTz2tpf4lI
2MWtZHo3gwIb88EnHcshMVJ+gCP3M7UVvcK5SnwSNDasfJ4uyKjnTvzD2ClHIFAw
DCpu5KfyZAGajMcH9oL3xUAbQQgNxhG+3o6cx/KIwKJ2aQu88E1sTE6DsmzRGcmS
AHO5DbH+B/MoGrTzA3OEwiJxG4cddbaXLPSp988TzLggLyaetpCCslsIkRut6qmZ
mMAv5kkdrouV3vHrTW22qZW9VUUDFRoOFnoKsk4q72Dgl+EzidH8ApwzSoV9Kbbt
9lb3XL7Nd6FMFTADdrYcRZp496r2WGXy9neulIYc+8MEYeoGPtk=
=iVvZ
-----END PGP SIGNATURE-----

Message #17 received at 865413@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 865413@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 12:35:43 +0100

[Message part 1 (text/plain, inline)]

On Wed, 21 Jun 2017 at 09:46:21 +0100, Simon McVittie wrote:
> Security team: do you want a backport/DSA for stretch-security, or do
> you consider the mitigations to be sufficient to fix this through
> a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
> stable update, but 0.8.6 contains unrelated bug fixes that I realise
> you won't necessarily want in stretch-security (proposed-update tracked
> at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).

Here is a proposed minimal backport for stretch in case you want one.
I have source and binaries for this ready for upload. Does the security
archive still want source packages built with debuild -sa, and do you
accept source-only uploads for stretch-security?

Thanks,
    S

[flatpak_0.8.5-2+deb9u1.diff (text/x-diff, attachment)]

Message #22 received at 865413@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Simon McVittie <smcv@debian.org>

Cc: 865413@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 17:08:03 +0200

On Wed, Jun 21, 2017 at 12:35:43PM +0100, Simon McVittie wrote:
> On Wed, 21 Jun 2017 at 09:46:21 +0100, Simon McVittie wrote:
> > Security team: do you want a backport/DSA for stretch-security, or do
> > you consider the mitigations to be sufficient to fix this through
> > a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
> > stable update, but 0.8.6 contains unrelated bug fixes that I realise
> > you won't necessarily want in stretch-security (proposed-update tracked
> > at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).
> 
> Here is a proposed minimal backport for stretch in case you want one.
> I have source and binaries for this ready for upload.

Please go ahead.

> Does the security
> archive still want source packages built with debuild -sa, and do you
> accept source-only uploads for stretch-security?

source only uploads should work fine, but you still need to include the
orig tarball if the package is new in the stretch-security suite (and
at this point almost everything is)

Cheers,
        Moritz

Message #27 received at 865413@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 865413@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 17:19:49 +0100

On Wed, 21 Jun 2017 at 17:08:03 +0200, Moritz Mühlenhoff wrote:
> On Wed, Jun 21, 2017 at 12:35:43PM +0100, Simon McVittie wrote:
> > Here is a proposed minimal backport for stretch in case you want one.
> > I have source and binaries for this ready for upload.
> 
> Please go ahead.
[...]
> source only uploads should work fine

  Uploading flatpak_0.8.5-2+deb9u1_source.changes: done.

Regards,
    S

Message #32 received at 865413-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 865413-close@bugs.debian.org

Subject: Bug#865413: fixed in flatpak 0.9.6-1

Date: Wed, 21 Jun 2017 16:34:30 +0000

Source: flatpak
Source-Version: 0.9.6-1

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jun 2017 15:09:59 +0100
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.9.6-1
Distribution: experimental
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 865413
Description: 
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak0 - Application deployment framework for desktop apps (library)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak-doc - Application deployment framework for desktop apps (documentation)
Changes:
 flatpak (0.9.6-1) experimental; urgency=high
 .
   * New upstream release
     - Security: prevent deploying files with inappropriate permissions
       (world-writable, setuid, etc.) (Closes: #865413)
     - Security: make ~/.local/share/flatpak private to user to defend
       against app vendors that might have released files with
       inappropriate permissions in the past
     - Bump libostree build-dependency to 2017.7
     - d/p/testlibrary-Call-g_assert_no_error-first.patch:
       Drop, applied upstream
   * Standards-Version: 4.0.0
     - Use https URL for format of debian/copyright
Checksums-Sha1: 
 6b7736a329247a37ddc1b1322c147d4f6e7b3143 3088 flatpak_0.9.6-1.dsc
 e5be7975b5dac18ceff0ce693d964eeaf7e9b50e 845660 flatpak_0.9.6.orig.tar.xz
 f72d90871896aacc2e4b9cb5a0bd0725b95c62a9 17068 flatpak_0.9.6-1.debian.tar.xz
Checksums-Sha256: 
 e61b0a2bff08d7af501ff2f02dd9dbca6d0b07ee9c88d904d6bcd2b450fe476d 3088 flatpak_0.9.6-1.dsc
 d0835b70db8de97d3d3a6a57ecbc0bf8c69d308daa20897079634521e1949f9e 845660 flatpak_0.9.6.orig.tar.xz
 48d72ab4463f5cea1834f91c973991d73fbdf4dfac38e603c458ddc5840f4663 17068 flatpak_0.9.6-1.debian.tar.xz
Files: 
 c879e47c0e72d693dd8209ad600a1a3a 3088 admin optional flatpak_0.9.6-1.dsc
 2aa4dee109f689e498a5c4daace83b5d 845660 admin optional flatpak_0.9.6.orig.tar.xz
 085ab1ca0ed76e9d5e07074c89e75e19 17068 admin optional flatpak_0.9.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKnTcACgkQTej/KmPH
zJBTrg/7BnZALPBFnG6e2QtLHsdeWtqJNvz321Nisdt1wF1U+P0+c0yvNFnkrIvN
3j7i18pE0ieCM5UvbxVfHIuWhH2opBwcYCBSJhUYFvvWLBn8utPkAzisdVhx0KtR
Y9UxhBm36Kjm8QEFey20VYMr98GlYUZCmm3ypjhx2A267qQ7/kkxHI3FUjMJTWnh
tf07PRDutZdthiFoGc8141YI53GZwUs/GjkQ4nhQx66WRqxCyYncnI5TsP5PqyMt
NtZQyTVndoxg8GWWIfdC1ujEW8S30k8iSdrB2gwTZkSQWLgBZNvioeGn0nUmKIPE
ZJ55J54fu2SNXY+nqFpSphuUpGJS7DITQ4CQzApuQsAL2aBDECkbHc3GfRjI2bH5
pCgmWBFolBvoWTKaTC6dUqBjGcFjlrQ/x6nRZotxMN1aUizh8/o+3kUV8NVWyJO4
PbiLGCnKERJWVtwmGak/bEX9s+m+PabC9CAvBTEdY9LIMbQxIkIsT4q/DI0ndMSn
O0RBvBczQtWR+KRAG152L9MDWEOKiZexNxaFnoQQ5E4gM1ifw/YDdkzZlJyb7Oue
6hzbFzB3tjMoTAn/+UQX6I4etfmimMnrIVYT2zUatkGVFFvce9blMgRXUXb9pAoa
jJKLaHcP91F+xPw/MubqZpVuKlt+nZuq0j7K+0DqZsVG5QfnBOY=
=8tQf
-----END PGP SIGNATURE-----

Message #37 received at 865413@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon McVittie <smcv@debian.org>, 865413@bugs.debian.org

Subject: Re: Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 18:52:25 +0200

Control: retitle flatpak: CVE-2017-9780: Flatpak security issue #845 involving setuid/world-writable files

Hi Simon,

On Wed, Jun 21, 2017 at 09:46:21AM +0100, Simon McVittie wrote:
> Package: flatpak
> Version: 0.8.5-2
> Severity: critical
> Tags: security fixed-upstream
> Forwarded: https://github.com/flatpak/flatpak/issues/845
> Justification: potentially (in worst case) root security hole
> 
> The Flatpak developers recently released version 0.8.7 fixing a security
> issue. A third-party app repository could include malicious apps that
> contain files with inappropriate permissions, for example setuid or
> world-writable. Older Flatpak versions would deploy the files with those
> permissions, which would let a local attacker run the setuid executable
> or write to the world-writable location.
> 
> In the case of the "system helper", files deployed as part of the app
> are owned by root, so in the worst case they could be setuid root.
> 
> Mitigations:
> * If you are running apps from a third party already, then there is
>   already a trust relationship (the app is sandboxed, but the sandbox
>   is not very strict in practice, and the third-party vendor chooses
>   what permissions the app will have)
> * The default polkit policies will not allow apps to be installed
>   system-wide unless a privileged (root-equivalent) user has added
>   the third-party app repository, which indicates that the privileged
>   user trusts the operator of that repository
> * The attacker exploiting the wrong permissions needs to be local
> 
> It seems that upstream consider this to be a minor security issue due
> to those mitigations.

I requested a CVE for this issue, and it got assigned CVE-2017-9780.
Since you are more in in the source package, can you do a post to
oss-security so other are informed as well (in case not anyway already
known?).

Regards,
Salvatore

Message #44 received at 865413@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 865413@bugs.debian.org

Subject: Re: Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Date: Wed, 21 Jun 2017 22:07:38 +0100

On Wed, 21 Jun 2017 at 18:52:25 +0200, Salvatore Bonaccorso wrote:
> I requested a CVE for this issue, and it got assigned CVE-2017-9780.
> Since you are more in in the source package, can you do a post to
> oss-security so other are informed as well (in case not anyway already
> known?).

I've contacted upstream via the GitHub issue for comment on a draft
advisory.

    S

Message #51 received at 865413-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 865413-close@bugs.debian.org

Subject: Bug#865413: fixed in flatpak 0.8.5-2+deb9u1

Date: Sat, 24 Jun 2017 14:47:31 +0000

Source: flatpak
Source-Version: 0.8.5-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jun 2017 12:05:49 +0100
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.5-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 865413
Description: 
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak0 - Application deployment framework for desktop apps (library)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak-doc - Application deployment framework for desktop apps (documentation)
Changes:
 flatpak (0.8.5-2+deb9u1) stretch-security; urgency=high
 .
   * d/p/Ensure-we-don-t-install-world-writable-dirs-or-setuid-fil.patch:
     Patch from upstream stable release 0.8.7.
     Prevent deploying files with inappropriate permissions
     (world-writable, setuid, etc.) (Closes: #865413)
   * d/p/dir-Ensure-.local-share-flatpak-is-0700.patch:
     Patch from upstream stable release 0.8.7.
     Make ~/.local/share/flatpak private to user to defend against app
     vendors that might have released files with inappropriate permissions
     in the past
Checksums-Sha1: 
 e846b80ef7681b3c07097543e4caedb8dc27d0c5 3050 flatpak_0.8.5-2+deb9u1.dsc
 89d0784b27123ec61e2efa36febfdbe2f2edb009 744808 flatpak_0.8.5.orig.tar.xz
 7534963a7c9b6bcb222c20e4dd978f65a63bd24b 19528 flatpak_0.8.5-2+deb9u1.debian.tar.xz
Checksums-Sha256: 
 1d3ffc3be9fc2596816c00a81534b66d891959540dfa6bed8dfe7b69aa6bac74 3050 flatpak_0.8.5-2+deb9u1.dsc
 fd31bc23e5b62a187fa9eaed937aadac2ab48911c338005b39ed889b2ebf95e5 744808 flatpak_0.8.5.orig.tar.xz
 4033dc04ac1465fec19145e7814d98a64660184403ffa16b44465eac680ea604 19528 flatpak_0.8.5-2+deb9u1.debian.tar.xz
Files: 
 acbf2aeac7e5c18ee1a741b7433d3e28 3050 admin optional flatpak_0.8.5-2+deb9u1.dsc
 d160b96fdee4be1f9b0ecf60641899f8 744808 admin optional flatpak_0.8.5.orig.tar.xz
 97a2460243a83ffc779718a904bcbaa0 19528 admin optional flatpak_0.8.5-2+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAllKl/oACgkQTej/KmPH
zJC8vxAAjzDWa3as3hhmA7sLD3mQu0/j2/q2Jv85TM2NF6crpzYHYvfDG1Aat7xK
OYttxp5DfkcSfYM1zFI3PBwvPg/wrd9aHZC7IHKUSsfbXnqNnRrwoXns+7UheC6L
BWrGmH0e4vh9fOvPeGB9DeDtE2qZ/SNhbSFcG1SeailDgnSVhaumSIh/HiUAPwra
G4WybbByMXHj3FtWMdL551DHr0IWvDhDBZSkhf/WO/vY3sAFk+u/Ix7LA/KM+AM8
IZBtd2I8woT7a0B3qSBYXFp1KGkJsSLZvSb93fe70GBW/XqCCpZHl5xktyRvc3VL
wypDw4vuK1dXcnpfptgiIL/avEmecIHUYdd7C/OYlNDGuycarI3ozoEcuY1jwbW5
mGkTEEcLa4XuNgm6II61NfSEvfpgkPUxHz9X2P4LLIWODHJQw+iCUQdmxtT4oEMv
M9HqGLgBe6XZGdJu9LT9wawrdXGxT0/kLxgl/S2ehN0QIdJuwJgue+pzneqDrxId
DQMhCRvRbn2vZbT8s/pQW7OTGYgikn6DLyf9kRlwvDsM+NZIHOKHGYH6OuH1Crp4
LfnoIT4K0VTUb6dzoAlnikklmQkm/Xc0cg1Y1C1D6MTdSruDvRwvEn4y86vN0VAI
IJuQcqtWroq4Wv2mWPjAJOwh0YN4LfDJvwe2CrpB7W42MeC3adg=
=Lp3U
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.