From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id uFJDIAj9L2AwZgAA0tVLHw (envelope-from ) for ; Fri, 19 Feb 2021 18:01:44 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id sHsIHAj9L2DALwAAB5/wlQ (envelope-from ) for ; Fri, 19 Feb 2021 18:01:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ED7D4177BE for ; Fri, 19 Feb 2021 19:01:43 +0100 (CET) Received: from localhost ([::1]:54908 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lDA63-00080o-2x for larch@yhetil.org; Fri, 19 Feb 2021 13:01:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lDA5p-00080E-Ia for guix-devel@gnu.org; Fri, 19 Feb 2021 13:01:29 -0500 Received: from baptiste.telenet-ops.be ([2a02:1800:120:4::f00:13]:52938) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lDA5l-0003xF-MD for guix-devel@gnu.org; Fri, 19 Feb 2021 13:01:29 -0500 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id X61G240070mfAB40161GrC; Fri, 19 Feb 2021 19:01:17 +0100 Message-ID: Subject: Re: TOCTTOU race From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Fri, 19 Feb 2021 19:01:11 +0100 In-Reply-To: <87h7m9p8hd.fsf@gnu.org> References: <87k0rrls0z.fsf@gnu.org> <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> <87o8h2ehy7.fsf@gnu.org> <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be> <87v9b66dm1.fsf@gnu.org> <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be> <87zh0gzy52.fsf@gnu.org> <53c60ce40d68cfc93a9ea2c4a8f865026e12c889.camel@telenet.be> <87h7m9p8hd.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-bvDg0kJ95fvFa0jAEgqh" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1613757677; bh=up8nxYteKA3PxBY4SP/y4dHz6p8rwOHoWlk82WDvdBk=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=l2NjXXESjExeWfsfyQDH8e0WAkdAMllmVFhBcoVOZ1ouHTg+9NjkF1yWaq/BmyoTk YXrbNSTPBWV09EgiRn1wc/AXdj0c5pYFWQhivQPLRfUDRhHQUqAcLHz5v10ZuJo13O 7/EqRbfIwHR9j6SzdEjWczhcSrANObdndvVfuXTJtkojnjje70zsNdxv+qKlWNAZQr zSD2uSyYDfD3Uls6Z2J88FLxzqmEuKRTS0+WUscYHmwkJB+LeU8zQCivheul8Eql+T d+4uYVH4a9FKcoI71gLMCGnKeSo4RzAR67t5aVBXqOWkLEyxFe+RzFavEmRGt+imMF T0R7A94c+L2NA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:13; envelope-from=maximedevos@telenet.be; helo=baptiste.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -3.27 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=l2NjXXES; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: ED7D4177BE X-Spam-Score: -3.27 X-Migadu-Scanner: scn1.migadu.com X-TUID: Pe/RcY2aKJP7 --=-bvDg0kJ95fvFa0jAEgqh Content-Type: multipart/mixed; boundary="=-N4gHA1yb3ExmHRIkUG/Z" --=-N4gHA1yb3ExmHRIkUG/Z Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2021-02-18 at 18:54 +0100, Ludovic Court=C3=A8s wrote: > [...] > I think this should go either in (gnu build activation) or in a new (gnu > build utils) module. >=20 > (guix build =E2=80=A6) is for non-Guix-System things. I've moved mkdir-p/perms into (gnu build activation). > > +;; Based upon mkdir-p from (guix build utils) > > +(define (verify-not-symbolic dir) > > + [...]) I've replaced the (when (eq? 'symlink) ...) with (unless (eq? 'directory) ...). > It=E2=80=99s tempting to do something like: >=20 > (error "file name component is a directory" dir) I've added a "not" between "is" and "a" -> (error "file name component is not a directory" dir) > Note that, if that happens at boot time, the system will fail to boot (I > think you=E2=80=99d get a REPL rather than a kernel panic, but it=E2=80= =99d be good to > check in a VM.) If that happens, that's too bad. Just ignoring the error seems bad from a security perspective. I verified in a VM you'd get a REPL. =46rom the REPL, a sysadmin could investigate and choose to delete the offend= ing symlink & reboot (and presumably fix the security bug and upgrade the servi= ce), or decide Guix System needs to be reinstalled. > > [...] >=20 > Per GNU and Guix convention, =E2=80=9Cpath=E2=80=9D is for =E2=80=9Csearc= h paths=E2=80=9D; here it > should be =E2=80=9Cfile=E2=80=9D or something. Changed in new patch (attached). Apparently, I forgot a few #:use-module. This should be corrected now. Please take note that I didn't correct all potentially insecure activation = gexps. These should ideally be done by someone who knows how to use the particular= service and have a system to test it on. (My changes to nscld-service-type and kno= t-activation are untested.) Greetings, Maxime --=-N4gHA1yb3ExmHRIkUG/Z Content-Disposition: attachment; filename*0=0001-services-prevent-following-symlinks-during-activatio.pat; filename*1=ch Content-Type: text/x-patch; name="0001-services-prevent-following-symlinks-during-activatio.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSAyYzM5NjhmNjU4YWRhMjdkMjA2MmE5NjBkMjI5ZjNkYjljZmUyMDhjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFN1biwgMTQgRmViIDIwMjEgMTI6NTc6MzIgKzAxMDAKU3ViamVjdDogW1BBVENIXSBz ZXJ2aWNlczogcHJldmVudCBmb2xsb3dpbmcgc3ltbGlua3MgZHVyaW5nIGFjdGl2YXRpb24KCkN1 cnJlbnRseSwgdGhlcmUncyBhIFRPQ1RUT1UgcmFjZS4gIFRoaXMgY2FuIGJlIGFkZHJlc3NlZApv bmNlIGd1aWxlIGhhcyBiaW5kaW5ncyBmb3IgZnN0YXRhdCwgb3BlbmF0IGFuZCBmcmllbmRzLgoK KiBndWl4L2J1aWxkL3NlcnZpY2UtdXRpbHMuc2NtOiBuZXcgbW9kdWxlCiAgd2l0aCBuZXcgcHJv Y2VkdXJlICdta2Rpci1wL3Blcm1zJy4KKiBNYWtlZmlsZS5hbSAoTU9EVUxFUyk6IGNvbXBpbGUg bmV3IG1vZHVsZS4KKiBnbnUvc2VydmljZXMvYXV0aGVudGljYXRpb24uc2NtCiAgKCVuc2xjZC1h Y3RpdmF0aW9uLCBuc2xjZC1zZXJ2aWNlLXR5cGUpOiB1c2UgbmV3IHByb2NlZHVyZS4KKiBnbnUv c2VydmljZXMvY3Vwcy5zY20gKCVjdXBzLWFjdGl2YXRpb24pOiBsaWtld2lzZS4KKiBnbnUvc2Vy dmljZXMvZGJ1cy5zY20gKGRidXMtYWN0aXZhdGlvbik6IGxpa2V3aXNlLgoqIGdudS9zZXJ2aWNl cy9kbnMuc2NtIChrbm90LWFjdGl2YXRpb24pOiBsaWtld2lzZS4KLS0tCiBnbnUvYnVpbGQvYWN0 aXZhdGlvbi5zY20gICAgICAgIHwgNTEgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKy0t CiBnbnUvc2VydmljZXMvYXV0aGVudGljYXRpb24uc2NtIHwgMjIgKysrKysrKystLS0tLS0KIGdu dS9zZXJ2aWNlcy9jdXBzLnNjbSAgICAgICAgICAgfCAxMiArKysrLS0tLQogZ251L3NlcnZpY2Vz L2RidXMuc2NtICAgICAgICAgICB8IDM3ICsrKysrKysrKysrKy0tLS0tLS0tLS0tLQogZ251L3Nl cnZpY2VzL2Rucy5zY20gICAgICAgICAgICB8IDIxICsrKysrKystLS0tLS0tCiA1IGZpbGVzIGNo YW5nZWQsIDk2IGluc2VydGlvbnMoKyksIDQ3IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2du dS9idWlsZC9hY3RpdmF0aW9uLnNjbSBiL2dudS9idWlsZC9hY3RpdmF0aW9uLnNjbQppbmRleCBi NDU4YWVlNGFlLi40ZWU1MWRmZDZlIDEwMDY0NAotLS0gYS9nbnUvYnVpbGQvYWN0aXZhdGlvbi5z Y20KKysrIGIvZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtCkBAIC0xLDYgKzEsMTEgQEAKIDs7OyBH TlUgR3VpeCAtLS0gRnVuY3Rpb25hbCBwYWNrYWdlIG1hbmFnZW1lbnQgZm9yIEdOVQotOzs7IENv cHlyaWdodCDCqSAyMDEzLCAyMDE0LCAyMDE1LCAyMDE2LCAyMDE3LCAyMDE4LCAyMDE5LCAyMDIw LCAyMDIxIEx1ZG92aWMgQ291cnTDqHMgPGx1ZG9AZ251Lm9yZz4KLTs7OyBDb3B5cmlnaHQgwqkg MjAxNSBNYXJrIEggV2VhdmVyIDxtaHdAbmV0cmlzLm9yZz4KKzs7OyBDb3B5cmlnaHQgwqkgMjAx MiwgMjAxMywgMjAxNCwgMjAxNSwgMjAxNiwgMjAxNywgMjAxOCwgMjAxOSwgMjAyMCwgMjAyMSBM dWRvdmljIENvdXJ0w6hzIDxsdWRvQGdudS5vcmc+Cis7OzsgQ29weXJpZ2h0IMKpIDIwMTMgTmlr aXRhIEthcmV0bmlrb3YgPG5pa2l0YUBrYXJldG5pa292Lm9yZz4KKzs7OyBDb3B5cmlnaHQgwqkg MjAxMyBBbmRyZWFzIEVuZ2UgPGFuZHJlYXNAZW5nZS5mcj4KKzs7OyBDb3B5cmlnaHQgwqkgMjAx NSwgMjAxOCBNYXJrIEggV2VhdmVyIDxtaHdAbmV0cmlzLm9yZz4KKzs7OyBDb3B5cmlnaHQgwqkg MjAxOCBBcnVuIElzYWFjIDxhcnVuaXNhYWNAc3lzdGVtcmVib290Lm5ldD4KKzs7OyBDb3B5cmln aHQgwqkgMjAxOCwgMjAxOSBSaWNhcmRvIFd1cm11cyA8cmVrYWRvQGVsZXBobHkubmV0PgorOzs7 IENvcHlyaWdodCDCqSAyMDIxIE1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT4K IDs7OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdOVSBHdWl4LgogOzs7CkBAIC0zNyw3ICs0 Miw4IEBACiAgICAgICAgICAgICBhY3RpdmF0ZS1tb2Rwcm9iZQogICAgICAgICAgICAgYWN0aXZh dGUtZmlybXdhcmUKICAgICAgICAgICAgIGFjdGl2YXRlLXB0cmFjZS1hdHRhY2gKLSAgICAgICAg ICAgIGFjdGl2YXRlLWN1cnJlbnQtc3lzdGVtKSkKKyAgICAgICAgICAgIGFjdGl2YXRlLWN1cnJl bnQtc3lzdGVtCisgICAgICAgICAgICBta2Rpci1wL3Blcm1zKSkKIAogOzs7IENvbW1lbnRhcnk6 CiA7OzsKQEAgLTU1LDYgKzYxLDQ1IEBACiAoZGVmaW5lIChkb3Qtb3ItZG90LWRvdD8gZmlsZSkK ICAgKG1lbWJlciBmaWxlICcoIi4iICIuLiIpKSkKIAorOzsgQmFzZWQgdXBvbiBta2Rpci1wIGZy b20gKGd1aXggYnVpbGQgdXRpbHMpCisoZGVmaW5lICh2ZXJpZnktbm90LXN5bWJvbGljIGRpcikK KyAgIlZlcmlmeSBESVIgb3IgaXRzIGFuY2VzdG9ycyBhcmVuJ3Qgc3ltYm9saWMgbGlua3MuIgor ICAoZGVmaW5lIGFic29sdXRlPworICAgIChzdHJpbmctcHJlZml4PyAiLyIgZGlyKSkKKworICAo ZGVmaW5lIG5vdC1zbGFzaAorICAgIChjaGFyLXNldC1jb21wbGVtZW50IChjaGFyLXNldCAjXC8p KSkKKworICAoZGVmaW5lICh2ZXJpZnktY29tcG9uZW50IGZpbGUpCisgICAgKHVubGVzcyAoZXE/ ICdkaXJlY3RvcnkgKHN0YXQ6dHlwZSAobHN0YXQgZmlsZSkpKQorICAgICAgKGVycm9yICJmaWxl IG5hbWUgY29tcG9uZW50IGlzIG5vdCBhIGRpcmVjdG9yeSIgZGlyKSkpCisKKyAgKGxldCBsb29w ICgoY29tcG9uZW50cyAoc3RyaW5nLXRva2VuaXplIGRpciBub3Qtc2xhc2gpKQorICAgICAgICAg ICAgIChyb290ICAgICAgIChpZiBhYnNvbHV0ZT8KKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIiIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi4iKSkpCisgICAgKG1hdGNoIGNv bXBvbmVudHMKKyAgICAgICgoaGVhZCB0YWlsIC4uLikKKyAgICAgICAobGV0ICgoZmlsZSAoc3Ry aW5nLWFwcGVuZCByb290ICIvIiBoZWFkKSkpCisgICAgICAgICAoY2F0Y2ggJ3N5c3RlbS1lcnJv cgorICAgICAgICAgICAobGFtYmRhICgpCisgICAgICAgICAgICAgKHZlcmlmeS1jb21wb25lbnQg ZmlsZSkKKyAgICAgICAgICAgICAobG9vcCB0YWlsIGZpbGUpKQorICAgICAgICAgICAobGFtYmRh IGFyZ3MKKyAgICAgICAgICAgICAoaWYgKD0gRU5PRU5UIChzeXN0ZW0tZXJyb3ItZXJybm8gYXJn cykpCisgICAgICAgICAgICAgICAgICN0CisgICAgICAgICAgICAgICAgIChhcHBseSB0aHJvdyBh cmdzKSkpKSkpCisgICAgICAoKCkgI3QpKSkpCisKKyhkZWZpbmUgKG1rZGlyLXAvcGVybXMgZGly ZWN0b3J5IG93bmVyIGJpdHMpCisgICJDcmVhdGUgdGhlIGRpcmVjdG9yeSBESVJFQ1RPUlkgYW5k IGFsbCBpdHMgYW5jZXN0b3JzLgorVmVyaWZ5IG5vIGNvbXBvbmVudCBvZiBESVJFQ1RPUlkgaXMg YSBzeW1ib2xpYyBsaW5rLgorV2FybmluZzogdGhpcyBpcyBjdXJyZW50bHkgc3VzcGVjdCB0byBh IFRPQ1RPVSByYWNlISIKKyAgKHZlcmlmeS1ub3Qtc3ltYm9saWMgZGlyZWN0b3J5KQorICAobWtk aXItcCBkaXJlY3RvcnkpCisgIChjaG93biBkaXJlY3RvcnkgKHBhc3N3ZDp1aWQgb3duZXIpIChw YXNzd2Q6Z2lkIG93bmVyKSkKKyAgKGNobW9kIGRpcmVjdG9yeSBiaXRzKSkKKwogKGRlZmluZSog KGNvcHktYWNjb3VudC1za2VsZXRvbnMgaG9tZQogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIzprZXkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChkaXJlY3Rvcnkg JXNrZWxldG9uLWRpcmVjdG9yeSkKZGlmZiAtLWdpdCBhL2dudS9zZXJ2aWNlcy9hdXRoZW50aWNh dGlvbi5zY20gYi9nbnUvc2VydmljZXMvYXV0aGVudGljYXRpb24uc2NtCmluZGV4IDczOTY5YTVh NmQuLmQ3ZWZjNDhjZDAgMTAwNjQ0Ci0tLSBhL2dudS9zZXJ2aWNlcy9hdXRoZW50aWNhdGlvbi5z Y20KKysrIGIvZ251L3NlcnZpY2VzL2F1dGhlbnRpY2F0aW9uLnNjbQpAQCAtMSw2ICsxLDcgQEAK IDs7OyBHTlUgR3VpeCAtLS0gRnVuY3Rpb25hbCBwYWNrYWdlIG1hbmFnZW1lbnQgZm9yIEdOVQog Ozs7IENvcHlyaWdodCDCqSAyMDE4IERhbm55IE1pbG9zYXZsamV2aWMgPGRhbm55bUBzY3JhdGNo cG9zdC5vcmc+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTgsIDIwMTkgUmljYXJkbyBXdXJtdXMgPHJl a2Fkb0BlbGVwaGx5Lm5ldD4KKzs7OyBDb3B5cmlnaHQgwqkgMjAyMSBNYXhpbWUgRGV2b3MgPG1h eGltZWRldm9zQHRlbGVuZXQuYmU+CiA7OzsKIDs7OyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUg R3VpeC4KIDs7OwpAQCAtMzEsNiArMzIsNyBAQAogICAjOnVzZS1tb2R1bGUgKGd1aXggZ2V4cCkK ICAgIzp1c2UtbW9kdWxlIChndWl4IHJlY29yZHMpCiAgICM6dXNlLW1vZHVsZSAoZ3VpeCBwYWNr YWdlcykKKyAgIzp1c2UtbW9kdWxlIChndWl4IG1vZHVsZXMpCiAgICM6dXNlLW1vZHVsZSAoaWNl LTkgbWF0Y2gpCiAgICM6dXNlLW1vZHVsZSAoc3JmaSBzcmZpLTEpCiAgICM6dXNlLW1vZHVsZSAo c3JmaSBzcmZpLTI2KQpAQCAtNTIxLDYgKzUyMywxNiBAQCBwYXNzd29yZC4iKQogKGRlZmluZSAo cGFtLWxkYXAtcGFtLXNlcnZpY2VzIGNvbmZpZykKICAgKGxpc3QgKHBhbS1sZGFwLXBhbS1zZXJ2 aWNlIGNvbmZpZykpKQogCisoZGVmaW5lICVuc2xjZC1hY3RpdmF0aW9uCisgICh3aXRoLWltcG9y dGVkLW1vZHVsZXMgKHNvdXJjZS1tb2R1bGUtY2xvc3VyZSAnKChnbnUgYnVpbGQgYWN0aXZhdGlv bikpKQorICAgICN+KGJlZ2luCisgICAgICAgICh1c2UtbW9kdWxlcyAoZ251IGJ1aWxkIGFjdGl2 YXRpb24pKQorICAgICAgICAobGV0ICgocnVuZGlyICIvdmFyL3J1bi9uc2xjZCIpCisgICAgICAg ICAgICAgICh1c2VyIChnZXRwd25hbSAibnNsY2QiKSkpCisgICAgICAgICAgKG1rZGlyLXAvcGVy bXMgcnVuZGlyIHVzZXIgI283NTUpCisgICAgICAgICAgKHdoZW4gKGZpbGUtZXhpc3RzPyAiL2V0 Yy9uc2xjZC5jb25mIikKKyAgICAgICAgICAgIChjaG1vZCAiL2V0Yy9uc2xjZC5jb25mIiAjbzQw MCkpKSkpKQorCiAoZGVmaW5lIG5zbGNkLXNlcnZpY2UtdHlwZQogICAoc2VydmljZS10eXBlCiAg ICAobmFtZSAnbnNsY2QpCkBAIC01MzEsMTUgKzU0Myw3IEBAIHBhc3N3b3JkLiIpCiAgICAgICAg ICAgKHNlcnZpY2UtZXh0ZW5zaW9uIGV0Yy1zZXJ2aWNlLXR5cGUKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgbnNsY2QtZXRjLXNlcnZpY2UpCiAgICAgICAgICAgKHNlcnZpY2UtZXh0ZW5z aW9uIGFjdGl2YXRpb24tc2VydmljZS10eXBlCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAg IChjb25zdCAjfihiZWdpbgotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICh1c2UtbW9kdWxlcyAoZ3VpeCBidWlsZCB1dGlscykpCi0gICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKGxldCAoKHJ1bmRpciAiL3Zhci9ydW4vbnNsY2QiKQotICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICh1c2VyIChnZXRwd25hbSAi bnNsY2QiKSkpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAobWtk aXItcCBydW5kaXIpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAo Y2hvd24gcnVuZGlyIChwYXNzd2Q6dWlkIHVzZXIpIChwYXNzd2Q6Z2lkIHVzZXIpKQotICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGNobW9kIHJ1bmRpciAjbzc1NSkK LSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICh3aGVuIChmaWxlLWV4 aXN0cz8gIi9ldGMvbnNsY2QuY29uZiIpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIChjaG1vZCAiL2V0Yy9uc2xjZC5jb25mIiAjbzQwMCkpKSkpKQorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAoY29uc3QgJW5zbGNkLWFjdGl2YXRpb24pKQogICAgICAg ICAgIChzZXJ2aWNlLWV4dGVuc2lvbiBwYW0tcm9vdC1zZXJ2aWNlLXR5cGUKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgcGFtLWxkYXAtcGFtLXNlcnZpY2VzKQogICAgICAgICAgIChzZXJ2 aWNlLWV4dGVuc2lvbiBuc2NkLXNlcnZpY2UtdHlwZQpkaWZmIC0tZ2l0IGEvZ251L3NlcnZpY2Vz L2N1cHMuc2NtIGIvZ251L3NlcnZpY2VzL2N1cHMuc2NtCmluZGV4IDE3ZWQwNGU1OGIuLjIwZTM5 MTdiOTMgMTAwNjQ0Ci0tLSBhL2dudS9zZXJ2aWNlcy9jdXBzLnNjbQorKysgYi9nbnUvc2Vydmlj ZXMvY3Vwcy5zY20KQEAgLTQsNiArNCw3IEBACiA7OzsgQ29weXJpZ2h0IMKpIDIwMTggUmljYXJk byBXdXJtdXMgPHJla2Fkb0BlbGVwaGx5Lm5ldD4KIDs7OyBDb3B5cmlnaHQgwqkgMjAxOSBBbGV4 IEdyaWZmaW4gPGFAYWpncmYuY29tPgogOzs7IENvcHlyaWdodCDCqSAyMDE5IFRvYmlhcyBHZWVy aW5ja3gtUmljZSA8bWVAdG9iaWFzLmdyPgorOzs7IENvcHlyaWdodCDCqSAyMDIxIE1heGltZSBE ZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT4KIDs7OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0 IG9mIEdOVSBHdWl4LgogOzs7CkBAIC0zMSw2ICszMiw3IEBACiAgICM6dXNlLW1vZHVsZSAoZ3Vp eCBwYWNrYWdlcykKICAgIzp1c2UtbW9kdWxlIChndWl4IHJlY29yZHMpCiAgICM6dXNlLW1vZHVs ZSAoZ3VpeCBnZXhwKQorICAjOnVzZS1tb2R1bGUgKGd1aXggbW9kdWxlcykKICAgIzp1c2UtbW9k dWxlIChpY2UtOSBtYXRjaCkKICAgIzp1c2UtbW9kdWxlICgoc3JmaSBzcmZpLTEpICM6c2VsZWN0 IChhcHBlbmQtbWFwIGZpbmQpKQogICAjOmV4cG9ydCAoY3Vwcy1zZXJ2aWNlLXR5cGUKQEAgLTg3 MSwxMyArODczLDExIEBAIElQUCBzcGVjaWZpY2F0aW9ucy4iKQogCiAoZGVmaW5lICVjdXBzLWFj dGl2YXRpb24KICAgOzsgQWN0aXZhdGlvbiBnZXhwLgotICAod2l0aC1pbXBvcnRlZC1tb2R1bGVz ICcoKGd1aXggYnVpbGQgdXRpbHMpKQorICAod2l0aC1pbXBvcnRlZC1tb2R1bGVzIChzb3VyY2Ut bW9kdWxlLWNsb3N1cmUgJygoZ251IGJ1aWxkIGFjdGl2YXRpb24pCisgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChndWl4IGJ1aWxkIHV0aWxzKSkpCiAg ICAgI34oYmVnaW4KLSAgICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxkIHV0aWxzKSkKLSAg ICAgICAgKGRlZmluZSAobWtkaXItcC9wZXJtcyBkaXJlY3Rvcnkgb3duZXIgcGVybXMpCi0gICAg ICAgICAgKG1rZGlyLXAgZGlyZWN0b3J5KQotICAgICAgICAgIChjaG93biBkaXJlY3RvcnkgKHBh c3N3ZDp1aWQgb3duZXIpIChwYXNzd2Q6Z2lkIG93bmVyKSkKLSAgICAgICAgICAoY2htb2QgZGly ZWN0b3J5IHBlcm1zKSkKKyAgICAgICAgKHVzZS1tb2R1bGVzIChnbnUgYnVpbGQgYWN0aXZhdGlv bikKKyAgICAgICAgICAgICAgICAgICAgIChndWl4IGJ1aWxkIHV0aWxzKSkKICAgICAgICAgKGRl ZmluZSAoYnVpbGQtc3ViamVjdCBwYXJhbWV0ZXJzKQogICAgICAgICAgIChzdHJpbmctY29uY2F0 ZW5hdGUKICAgICAgICAgICAgKG1hcCAobGFtYmRhIChwYWlyKQpkaWZmIC0tZ2l0IGEvZ251L3Nl cnZpY2VzL2RidXMuc2NtIGIvZ251L3NlcnZpY2VzL2RidXMuc2NtCmluZGV4IGUwMTVkM2Y2OGQu LmFmMWExZTRjM2EgMTAwNjQ0Ci0tLSBhL2dudS9zZXJ2aWNlcy9kYnVzLnNjbQorKysgYi9nbnUv c2VydmljZXMvZGJ1cy5zY20KQEAgLTEsNiArMSw3IEBACiA7OzsgR05VIEd1aXggLS0tIEZ1bmN0 aW9uYWwgcGFja2FnZSBtYW5hZ2VtZW50IGZvciBHTlUKIDs7OyBDb3B5cmlnaHQgwqkgMjAxMywg MjAxNCwgMjAxNSwgMjAxNiwgMjAxNywgMjAxOSwgMjAyMCBMdWRvdmljIENvdXJ0w6hzIDxsdWRv QGdudS5vcmc+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTUgU291IEJ1bm5idSA8aXl6c29uZ0BnbWFp bC5jb20+Cis7OzsgQ29weXJpZ2h0IMKpIDIwMjEgTWF4aW1lIERldm9zIDxtYXhpbWVkZXZvc0B0 ZWxlbmV0LmJlPgogOzs7CiA7OzsgVGhpcyBmaWxlIGlzIHBhcnQgb2YgR05VIEd1aXguCiA7OzsK QEAgLTI4LDYgKzI5LDcgQEAKICAgIzp1c2UtbW9kdWxlIChndWl4IGdleHApCiAgICM6dXNlLW1v ZHVsZSAoKGd1aXggcGFja2FnZXMpICM6c2VsZWN0IChwYWNrYWdlLW5hbWUpKQogICAjOnVzZS1t b2R1bGUgKGd1aXggcmVjb3JkcykKKyAgIzp1c2UtbW9kdWxlIChndWl4IG1vZHVsZXMpCiAgICM6 dXNlLW1vZHVsZSAoc3JmaSBzcmZpLTEpCiAgICM6dXNlLW1vZHVsZSAoaWNlLTkgbWF0Y2gpCiAg ICM6ZXhwb3J0IChkYnVzLWNvbmZpZ3VyYXRpb24KQEAgLTE2MSwyNCArMTYzLDIzIEBAIGluY2x1 ZGVzIHRoZSBAY29kZXtldGMvZGJ1cy0xL3N5c3RlbS5kfSBkaXJlY3RvcmllcyBvZiBlYWNoIHBh Y2thZ2UgbGlzdGVkIGluCiAKIChkZWZpbmUgKGRidXMtYWN0aXZhdGlvbiBjb25maWcpCiAgICJS ZXR1cm4gYW4gYWN0aXZhdGlvbiBnZXhwIGZvciBELUJ1cyB1c2luZyBAdmFye2NvbmZpZ30uIgot ICAjfihiZWdpbgotICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxkIHV0aWxzKSkKLQotICAg ICAgKG1rZGlyLXAgIi92YXIvcnVuL2RidXMiKQotCi0gICAgICAobGV0ICgodXNlciAoZ2V0cHdu YW0gIm1lc3NhZ2VidXMiKSkpCi0gICAgICAgIChjaG93biAiL3Zhci9ydW4vZGJ1cyIKLSAgICAg ICAgICAgICAgIChwYXNzd2Q6dWlkIHVzZXIpIChwYXNzd2Q6Z2lkIHVzZXIpKQotCi0gICAgICAg IDs7IFRoaXMgZGlyZWN0b3J5IGNvbnRhaW5zIHRoZSBkYWVtb24ncyBzb2NrZXQgc28gaXQgbXVz dCBiZQotICAgICAgICA7OyB3b3JsZC1yZWFkYWJsZS4KLSAgICAgICAgKGNobW9kICIvdmFyL3J1 bi9kYnVzIiAjbzc1NSkpCi0KLSAgICAgICh1bmxlc3MgKGZpbGUtZXhpc3RzPyAiL2V0Yy9tYWNo aW5lLWlkIikKLSAgICAgICAgKGZvcm1hdCAjdCAiY3JlYXRpbmcgL2V0Yy9tYWNoaW5lLWlkLi4u fiUiKQotICAgICAgICAoaW52b2tlIChzdHJpbmctYXBwZW5kICMkKGRidXMtY29uZmlndXJhdGlv bi1kYnVzIGNvbmZpZykKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiL2Jpbi9kYnVz LXV1aWRnZW4iKQotICAgICAgICAgICAgICAgICItLWVuc3VyZT0vZXRjL21hY2hpbmUtaWQiKSkp KQorICAod2l0aC1pbXBvcnRlZC1tb2R1bGVzIChzb3VyY2UtbW9kdWxlLWNsb3N1cmUKKyAgICAg ICAgICAgICAgICAgICAgICAgICAgJygoZ251IGJ1aWxkIGFjdGl2YXRpb24pCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKGd1aXggYnVpbGQgdXRpbHMpKSkKKyAgICAjfihiZWdpbgorICAg ICAgICAodXNlLW1vZHVsZXMgKGdudSBidWlsZCBhY3RpdmF0aW9uKQorICAgICAgICAgICAgICAg ICAgICAgKGd1aXggYnVpbGQgdXRpbHMpKQorCisgICAgICAgIChsZXQgKCh1c2VyIChnZXRwd25h bSAibWVzc2FnZWJ1cyIpKSkKKyAgICAgICAgICA7OyBUaGlzIGRpcmVjdG9yeSBjb250YWlucyB0 aGUgZGFlbW9uJ3Mgc29ja2V0IHNvIGl0IG11c3QgYmUKKyAgICAgICAgICA7OyB3b3JsZC1yZWFk YWJsZS4KKyAgICAgICAgICAobWtkaXItcC9wZXJtcyAiL3Zhci9ydW4vZGJ1cyIgdXNlciAjbzc1 NSkpCisKKyAgICAgICAgKHVubGVzcyAoZmlsZS1leGlzdHM/ICIvZXRjL21hY2hpbmUtaWQiKQor ICAgICAgICAgIChmb3JtYXQgI3QgImNyZWF0aW5nIC9ldGMvbWFjaGluZS1pZC4uLn4lIikKKyAg ICAgICAgICAoaW52b2tlIChzdHJpbmctYXBwZW5kICMkKGRidXMtY29uZmlndXJhdGlvbi1kYnVz IGNvbmZpZykKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIvYmluL2RidXMtdXVp ZGdlbiIpCisgICAgICAgICAgICAgICAgICAiLS1lbnN1cmU9L2V0Yy9tYWNoaW5lLWlkIikpKSkp CiAKIChkZWZpbmUgZGJ1cy1zaGVwaGVyZC1zZXJ2aWNlCiAgIChtYXRjaC1sYW1iZGEKZGlmZiAt LWdpdCBhL2dudS9zZXJ2aWNlcy9kbnMuc2NtIGIvZ251L3NlcnZpY2VzL2Rucy5zY20KaW5kZXgg ZDRhZWZlNjI4NS4uNTUyMTFjYjA4ZiAxMDA2NDQKLS0tIGEvZ251L3NlcnZpY2VzL2Rucy5zY20K KysrIGIvZ251L3NlcnZpY2VzL2Rucy5zY20KQEAgLTIsNiArMiw3IEBACiA7OzsgQ29weXJpZ2h0 IMKpIDIwMTcgSnVsaWVuIExlcGlsbGVyIDxqdWxpZW5AbGVwaWxsZXIuZXU+CiA7OzsgQ29weXJp Z2h0IMKpIDIwMTggT2xlZyBQeWtoYWxvdiA8Z28ud2lndXN0QGdtYWlsLmNvbT4KIDs7OyBDb3B5 cmlnaHQgwqkgMjAyMCBQaWVycmUgTGFuZ2xvaXMgPHBpZXJyZS5sYW5nbG9pc0BnbXguY29tPgor Ozs7IENvcHlyaWdodCDCqSAyMDIxIE1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5i ZT4KIDs7OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdOVSBHdWl4LgogOzs7CkBAIC0yOCw2 ICsyOSw3IEBACiAgICM6dXNlLW1vZHVsZSAoZ3VpeCBwYWNrYWdlcykKICAgIzp1c2UtbW9kdWxl IChndWl4IHJlY29yZHMpCiAgICM6dXNlLW1vZHVsZSAoZ3VpeCBnZXhwKQorICAjOnVzZS1tb2R1 bGUgKGd1aXggbW9kdWxlcykKICAgIzp1c2UtbW9kdWxlIChzcmZpIHNyZmktMSkKICAgIzp1c2Ut bW9kdWxlIChzcmZpIHNyZmktMjYpCiAgICM6dXNlLW1vZHVsZSAoc3JmaSBzcmZpLTM0KQpAQCAt NjA3LDE3ICs2MDksMTQgQEAKICAgICAgICAgICAoc2hlbGwgKGZpbGUtYXBwZW5kIHNoYWRvdyAi L3NiaW4vbm9sb2dpbiIpKSkpKQogCiAoZGVmaW5lIChrbm90LWFjdGl2YXRpb24gY29uZmlnKQot ICAjfihiZWdpbgotICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxkIHV0aWxzKSkKLSAgICAg IChkZWZpbmUgKG1rZGlyLXAvcGVybXMgZGlyZWN0b3J5IG93bmVyIHBlcm1zKQotICAgICAgICAo bWtkaXItcCBkaXJlY3RvcnkpCi0gICAgICAgIChjaG93biBkaXJlY3RvcnkgKHBhc3N3ZDp1aWQg b3duZXIpIChwYXNzd2Q6Z2lkIG93bmVyKSkKLSAgICAgICAgKGNobW9kIGRpcmVjdG9yeSBwZXJt cykpCi0gICAgICAobWtkaXItcC9wZXJtcyAjJChrbm90LWNvbmZpZ3VyYXRpb24tcnVuLWRpcmVj dG9yeSBjb25maWcpCi0gICAgICAgICAgICAgICAgICAgICAoZ2V0cHduYW0gImtub3QiKSAjbzc1 NSkKLSAgICAgIChta2Rpci1wL3Blcm1zICIvdmFyL2xpYi9rbm90IiAoZ2V0cHduYW0gImtub3Qi KSAjbzc1NSkKLSAgICAgIChta2Rpci1wL3Blcm1zICIvdmFyL2xpYi9rbm90L2tleXMiIChnZXRw d25hbSAia25vdCIpICNvNzU1KQotICAgICAgKG1rZGlyLXAvcGVybXMgIi92YXIvbGliL2tub3Qv a2V5cy9rZXlzIiAoZ2V0cHduYW0gImtub3QiKSAjbzc1NSkpKQorICAod2l0aC1pbXBvcnRlZC1t b2R1bGVzIChzb3VyY2UtbW9kdWxlLWNsb3N1cmUgJygoZ251IGJ1aWxkIGFjdGl2YXRpb24pKSkK KyAgICAjfihiZWdpbgorICAgICAgICAodXNlLW1vZHVsZXMgKGdudSBidWlsZCBhY3RpdmF0aW9u KSkKKyAgICAgICAgKG1rZGlyLXAvcGVybXMgIyQoa25vdC1jb25maWd1cmF0aW9uLXJ1bi1kaXJl Y3RvcnkgY29uZmlnKQorICAgICAgICAgICAgICAgICAgICAgICAoZ2V0cHduYW0gImtub3QiKSAj bzc1NSkKKyAgICAgICAgKG1rZGlyLXAvcGVybXMgIi92YXIvbGliL2tub3QiIChnZXRwd25hbSAi a25vdCIpICNvNzU1KQorICAgICAgICAobWtkaXItcC9wZXJtcyAiL3Zhci9saWIva25vdC9rZXlz IiAoZ2V0cHduYW0gImtub3QiKSAjbzc1NSkKKyAgICAgICAgKG1rZGlyLXAvcGVybXMgIi92YXIv bGliL2tub3Qva2V5cy9rZXlzIiAoZ2V0cHduYW0gImtub3QiKSAjbzc1NSkpKSkKIAogKGRlZmlu ZSAoa25vdC1zaGVwaGVyZC1zZXJ2aWNlIGNvbmZpZykKICAgKGxldCogKChjb25maWctZmlsZSAo a25vdC1jb25maWctZmlsZSBjb25maWcpKQotLSAKMi4zMC4wCgo= --=-N4gHA1yb3ExmHRIkUG/Z-- --=-bvDg0kJ95fvFa0jAEgqh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYC/85xccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hlzAQCmkf1av3xZq60mvvSCujV9PpFr IAp6bdvSokBDZ857EAEAiEaADVEJe0oUWTuIP7FtHjAwDg/ITHCxdRzUyEzFuwY= =6o68 -----END PGP SIGNATURE----- --=-bvDg0kJ95fvFa0jAEgqh--