From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +CyGNuwXKWAONAAA0tVLHw (envelope-from ) for ; Sun, 14 Feb 2021 12:30:36 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id sDVgMuwXKWBaMwAA1q6Kng (envelope-from ) for ; Sun, 14 Feb 2021 12:30:36 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C3626266BF for ; Sun, 14 Feb 2021 13:30:35 +0100 (CET) Received: from localhost ([::1]:58260 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBGXp-0000oa-7U for larch@yhetil.org; Sun, 14 Feb 2021 07:30:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39256) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBGX9-0000oR-TS for guix-devel@gnu.org; Sun, 14 Feb 2021 07:29:51 -0500 Received: from michel.telenet-ops.be ([2a02:1800:110:4::f00:18]:34422) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBGX3-0006Nr-8a for guix-devel@gnu.org; Sun, 14 Feb 2021 07:29:51 -0500 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by michel.telenet-ops.be with bizsmtp id V0Vf240090mfAB4060VfUe; Sun, 14 Feb 2021 13:29:40 +0100 Message-ID: <53c60ce40d68cfc93a9ea2c4a8f865026e12c889.camel@telenet.be> Subject: TOCTTOU race (was: Potential security weakness in Guix services) From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Sun, 14 Feb 2021 13:29:29 +0100 In-Reply-To: <87zh0gzy52.fsf@gnu.org> References: <87k0rrls0z.fsf@gnu.org> <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> <87o8h2ehy7.fsf@gnu.org> <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be> <87v9b66dm1.fsf@gnu.org> <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be> <87zh0gzy52.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-JDZ00885fEAuXAWAcnVm" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1613305780; bh=nc+4Ies6Netbjuyir1kqFvTUHNn1VApCzxQ9PFysUcY=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=T8Rp42O02fXt67uRd8OZ0TcSn1vDHnEeX1c/I3oRx1fLJo+n12F7YJq0Q0AXjcoW9 YNdY8IdFTnbaP+twbVkPhqd3V4AJVAlYN7W+1k7TR7X9UvGtMHfguqAdM4XuPoHlx6 zh1spqeF4FC+OjQ90/1JN/Bp5rwlGiRh3kVWqV6agJ8Nc6q7BvphjBgcGOl+sNF2P7 8NQZhRqJ1uw+oj4vTcdGpw7D8h6yhnXor45zM/ikVPXO9Za9rk7O+h9h07Oi1pYMba Lr/3d0G1nGaznlMnQoMVMadWteoxXQred9NTjMOlcYxGS6Ykvbw4Rd7I3OwbMEq+om bDsyLcMUfMU0g== Received-SPF: pass client-ip=2a02:1800:110:4::f00:18; envelope-from=maximedevos@telenet.be; helo=michel.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -3.26 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=T8Rp42O0; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: C3626266BF X-Spam-Score: -3.26 X-Migadu-Scanner: scn0.migadu.com X-TUID: N/ak3MUGtEpA --=-JDZ00885fEAuXAWAcnVm Content-Type: multipart/mixed; boundary="=-RvELiP5+lzPjfTSJNITt" --=-RvELiP5+lzPjfTSJNITt Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-02-06 at 22:26 +0100, Ludovic Court=C3=A8s wrote: >=20 > [...] > I understand the TOCTTOU race. However, activation code runs in two > situations: when booting the system (before shepherd takes over), and > upon =E2=80=98guix system reconfigure=E2=80=99 completion. >=20 > When booting the system, there=E2=80=99s just no process out there to tak= e > advantage of the race condition. >=20 > In the second case, presumably all the file name components already > exist. In the second situation, a compromised service could quickly rename a component to something else and create a symlink in place, and after the activation code has changed permissions and owner remove the symlink and rename the component back to avoid suspicion.=20 (The old component could be removed entirely and replaced with a symlink, but that will likely break something, which may lead to the sysadmin investigating.) (The attack method I'm describing here of course only works if the compromised service has control over both the component and the parent directory.) > Does that make sense? Maybe? While I would prefer there would *not* be a TOCTTOU race, we may have to live with that for the moment (and even with a TOCTTOU race, at least an attacker only has a narrow window). I'll submit a new patch *without* a TOCTTOU race once openat, fstatat, ... bindings make it into guile, but for the mean time, I've attached a patch with the TOCTTOU race. I've tested with 'make check-system TESTS=3D"basic cups"'. I couldn't test all affected services, unfortunately, due to lack of system tests. Thoughts? Greetings, Maxime. --=-RvELiP5+lzPjfTSJNITt Content-Disposition: attachment; filename*0=0001-services-prevent-following-symlinks-during-activatio.pat; filename*1=ch Content-Type: text/x-patch; name="0001-services-prevent-following-symlinks-during-activatio.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBhZDEwYzU3N2ViMWYxM2I5YjY2ZWEzODc2NDg2NzFkZjMzYjg2OWQ3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFN1biwgMTQgRmViIDIwMjEgMTI6NTc6MzIgKzAxMDAKU3ViamVjdDogW1BBVENIXSBz ZXJ2aWNlczogcHJldmVudCBmb2xsb3dpbmcgc3ltbGlua3MgZHVyaW5nIGFjdGl2YXRpb24KCkN1 cnJlbnRseSwgdGhlcmUncyBhIFRPQ1RUT1UgcmFjZS4gIFRoaXMgY2FuIGJlIGFkZHJlc3NlZApv bmNlIGd1aWxlIGhhcyBiaW5kaW5ncyBmb3IgZnN0YXRhdCwgb3BlbmF0IGFuZCBmcmllbmRzLgoK WFhYIEknbSBob3JyaWJsZSBhdCBuYW1pbmcgZXhjZXB0aW9uczoKKHRocm93ICdYWFgtVE9ETy1k b2VzLXNvbWVvbmUtaGF2ZS1hbi1pZGVhPyBwYXRoKQoKKiBndWl4L2J1aWxkL3NlcnZpY2UtdXRp bHMuc2NtOiBuZXcgbW9kdWxlCiAgd2l0aCBuZXcgcHJvY2VkdXJlICdta2Rpci1wL3Blcm1zJy4K KiBNYWtlZmlsZS5hbSAoTU9EVUxFUyk6IGNvbXBpbGUgbmV3IG1vZHVsZS4KKiBnbnUvc2Vydmlj ZXMvYXV0aGVudGljYXRpb24uc2NtCiAgKCVuc2xjZC1hY3RpdmF0aW9uLCBuc2xjZC1zZXJ2aWNl LXR5cGUpOiB1c2UgbmV3IHByb2NlZHVyZS4KKiBnbnUvc2VydmljZXMvY3Vwcy5zY20gKCVjdXBz LWFjdGl2YXRpb24pOiBsaWtld2lzZS4KKiBnbnUvc2VydmljZXMvZGJ1cy5zY20gKGRidXMtYWN0 aXZhdGlvbik6IGxpa2V3aXNlLgoqIGdudS9zZXJ2aWNlcy9kbnMuc2NtIChrbm90LWFjdGl2YXRp b24pOiBsaWtld2lzZS4KLS0tCiBNYWtlZmlsZS5hbSAgICAgICAgICAgICAgICAgICAgIHwgIDEg KwogZ251L3NlcnZpY2VzL2F1dGhlbnRpY2F0aW9uLnNjbSB8IDIyICsrKysrKy0tLS0tCiBnbnUv c2VydmljZXMvY3Vwcy5zY20gICAgICAgICAgIHwgMTIgKysrLS0tCiBnbnUvc2VydmljZXMvZGJ1 cy5zY20gICAgICAgICAgIHwgMzYgKysrKysrKysrLS0tLS0tLS0tCiBnbnUvc2VydmljZXMvZG5z LnNjbSAgICAgICAgICAgIHwgMjAgKysrKystLS0tLQogZ3VpeC9idWlsZC9zZXJ2aWNlLXV0aWxz LnNjbSAgICB8IDY2ICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKwogNiBmaWxlcyBj aGFuZ2VkLCAxMTMgaW5zZXJ0aW9ucygrKSwgNDQgZGVsZXRpb25zKC0pCiBjcmVhdGUgbW9kZSAx MDA2NDQgZ3VpeC9idWlsZC9zZXJ2aWNlLXV0aWxzLnNjbQoKZGlmZiAtLWdpdCBhL01ha2VmaWxl LmFtIGIvTWFrZWZpbGUuYW0KaW5kZXggNzk4ODA4YmRlNi4uYzgyOTIyZmM4NyAxMDA2NDQKLS0t IGEvTWFrZWZpbGUuYW0KKysrIGIvTWFrZWZpbGUuYW0KQEAgLTIzOSw2ICsyMzksNyBAQCBNT0RV TEVTID0JCQkJCVwKICAgZ3VpeC9idWlsZC9ib3VybmlzaC5zY20JCQlcCiAgIGd1aXgvYnVpbGQv cXQtdXRpbHMuc2NtCQkJXAogICBndWl4L2J1aWxkL21ha2UtYm9vdHN0cmFwLnNjbQkJCVwKKyAg Z3VpeC9idWlsZC9zZXJ2aWNlLXV0aWxzLnNjbSAgICAgICAgICAgICAgICAgIFwKICAgZ3VpeC9z ZWFyY2gtcGF0aHMuc2NtCQkJCVwKICAgZ3VpeC9wYWNrYWdlcy5zY20JCQkJXAogICBndWl4L2lt cG9ydC9jYWJhbC5zY20JCQkJXApkaWZmIC0tZ2l0IGEvZ251L3NlcnZpY2VzL2F1dGhlbnRpY2F0 aW9uLnNjbSBiL2dudS9zZXJ2aWNlcy9hdXRoZW50aWNhdGlvbi5zY20KaW5kZXggNzM5NjlhNWE2 ZC4uYWFkMDJkM2VhYiAxMDA2NDQKLS0tIGEvZ251L3NlcnZpY2VzL2F1dGhlbnRpY2F0aW9uLnNj bQorKysgYi9nbnUvc2VydmljZXMvYXV0aGVudGljYXRpb24uc2NtCkBAIC0xLDYgKzEsNyBAQAog Ozs7IEdOVSBHdWl4IC0tLSBGdW5jdGlvbmFsIHBhY2thZ2UgbWFuYWdlbWVudCBmb3IgR05VCiA7 OzsgQ29weXJpZ2h0IMKpIDIwMTggRGFubnkgTWlsb3NhdmxqZXZpYyA8ZGFubnltQHNjcmF0Y2hw b3N0Lm9yZz4KIDs7OyBDb3B5cmlnaHQgwqkgMjAxOCwgMjAxOSBSaWNhcmRvIFd1cm11cyA8cmVr YWRvQGVsZXBobHkubmV0PgorOzs7IENvcHlyaWdodCDCqSAyMDIxIE1heGltZSBEZXZvcyA8bWF4 aW1lZGV2b3NAdGVsZW5ldC5iZT4KIDs7OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdOVSBH dWl4LgogOzs7CkBAIC0zMSw2ICszMiw3IEBACiAgICM6dXNlLW1vZHVsZSAoZ3VpeCBnZXhwKQog ICAjOnVzZS1tb2R1bGUgKGd1aXggcmVjb3JkcykKICAgIzp1c2UtbW9kdWxlIChndWl4IHBhY2th Z2VzKQorICAjOnVzZS1tb2R1bGUgKGd1aXggbW9kdWxlcykKICAgIzp1c2UtbW9kdWxlIChpY2Ut OSBtYXRjaCkKICAgIzp1c2UtbW9kdWxlIChzcmZpIHNyZmktMSkKICAgIzp1c2UtbW9kdWxlIChz cmZpIHNyZmktMjYpCkBAIC01MjEsNiArNTIzLDE2IEBAIHBhc3N3b3JkLiIpCiAoZGVmaW5lIChw YW0tbGRhcC1wYW0tc2VydmljZXMgY29uZmlnKQogICAobGlzdCAocGFtLWxkYXAtcGFtLXNlcnZp Y2UgY29uZmlnKSkpCiAKKyhkZWZpbmUgbnNsY2QtYWN0aXZhdGlvbgorICAod2l0aC1pbXBvcnRl ZC1tb2R1bGVzIChzb3VyY2UtbW9kdWxlLWNsb3N1cmUgJygoZ3VpeCBidWlsZCBzZXJ2aWNlLXV0 aWxzKSkpCisgICAgI34oYmVnaW4KKyAgICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxkIHNl cnZpY2UtdXRpbHMpKQorICAgICAgICAobGV0ICgocnVuZGlyICIvdmFyL3J1bi9uc2xjZCIpCisg ICAgICAgICAgICAgICh1c2VyIChnZXRwd25hbSAibnNsY2QiKSkpCisgICAgICAgICAgKG1rZGly LXAvcGVybXMgcnVuZGlyIHVzZXIgI283NTUpCisgICAgICAgICAgKHdoZW4gKGZpbGUtZXhpc3Rz PyAiL2V0Yy9uc2xjZC5jb25mIikKKyAgICAgICAgICAgIChjaG1vZCAiL2V0Yy9uc2xjZC5jb25m IiAjbzQwMCkpKSkpKQorCiAoZGVmaW5lIG5zbGNkLXNlcnZpY2UtdHlwZQogICAoc2VydmljZS10 eXBlCiAgICAobmFtZSAnbnNsY2QpCkBAIC01MzEsMTUgKzU0Myw3IEBAIHBhc3N3b3JkLiIpCiAg ICAgICAgICAgKHNlcnZpY2UtZXh0ZW5zaW9uIGV0Yy1zZXJ2aWNlLXR5cGUKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgbnNsY2QtZXRjLXNlcnZpY2UpCiAgICAgICAgICAgKHNlcnZpY2Ut ZXh0ZW5zaW9uIGFjdGl2YXRpb24tc2VydmljZS10eXBlCi0gICAgICAgICAgICAgICAgICAgICAg ICAgICAgIChjb25zdCAjfihiZWdpbgotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICh1c2UtbW9kdWxlcyAoZ3VpeCBidWlsZCB1dGlscykpCi0gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgKGxldCAoKHJ1bmRpciAiL3Zhci9ydW4vbnNsY2QiKQot ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICh1c2VyIChnZXRw d25hbSAibnNsY2QiKSkpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAobWtkaXItcCBydW5kaXIpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAoY2hvd24gcnVuZGlyIChwYXNzd2Q6dWlkIHVzZXIpIChwYXNzd2Q6Z2lkIHVzZXIpKQot ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGNobW9kIHJ1bmRpciAj bzc1NSkKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICh3aGVuIChm aWxlLWV4aXN0cz8gIi9ldGMvbnNsY2QuY29uZiIpCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIChjaG1vZCAiL2V0Yy9uc2xjZC5jb25mIiAjbzQwMCkpKSkpKQor ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoY29uc3QgbnNsY2QtYWN0aXZhdGlvbikpCiAg ICAgICAgICAgKHNlcnZpY2UtZXh0ZW5zaW9uIHBhbS1yb290LXNlcnZpY2UtdHlwZQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBwYW0tbGRhcC1wYW0tc2VydmljZXMpCiAgICAgICAgICAg KHNlcnZpY2UtZXh0ZW5zaW9uIG5zY2Qtc2VydmljZS10eXBlCmRpZmYgLS1naXQgYS9nbnUvc2Vy dmljZXMvY3Vwcy5zY20gYi9nbnUvc2VydmljZXMvY3Vwcy5zY20KaW5kZXggMTdlZDA0ZTU4Yi4u MGM0ZTRhNDMwNyAxMDA2NDQKLS0tIGEvZ251L3NlcnZpY2VzL2N1cHMuc2NtCisrKyBiL2dudS9z ZXJ2aWNlcy9jdXBzLnNjbQpAQCAtNCw2ICs0LDcgQEAKIDs7OyBDb3B5cmlnaHQgwqkgMjAxOCBS aWNhcmRvIFd1cm11cyA8cmVrYWRvQGVsZXBobHkubmV0PgogOzs7IENvcHlyaWdodCDCqSAyMDE5 IEFsZXggR3JpZmZpbiA8YUBhamdyZi5jb20+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTkgVG9iaWFz IEdlZXJpbmNreC1SaWNlIDxtZUB0b2JpYXMuZ3I+Cis7OzsgQ29weXJpZ2h0IMKpIDIwMjEgTWF4 aW1lIERldm9zIDxtYXhpbWVkZXZvc0B0ZWxlbmV0LmJlPgogOzs7CiA7OzsgVGhpcyBmaWxlIGlz IHBhcnQgb2YgR05VIEd1aXguCiA7OzsKQEAgLTMxLDYgKzMyLDcgQEAKICAgIzp1c2UtbW9kdWxl IChndWl4IHBhY2thZ2VzKQogICAjOnVzZS1tb2R1bGUgKGd1aXggcmVjb3JkcykKICAgIzp1c2Ut bW9kdWxlIChndWl4IGdleHApCisgICM6dXNlLW1vZHVsZSAoZ3VpeCBtb2R1bGVzKQogICAjOnVz ZS1tb2R1bGUgKGljZS05IG1hdGNoKQogICAjOnVzZS1tb2R1bGUgKChzcmZpIHNyZmktMSkgIzpz ZWxlY3QgKGFwcGVuZC1tYXAgZmluZCkpCiAgICM6ZXhwb3J0IChjdXBzLXNlcnZpY2UtdHlwZQpA QCAtODcxLDEzICs4NzMsMTEgQEAgSVBQIHNwZWNpZmljYXRpb25zLiIpCiAKIChkZWZpbmUgJWN1 cHMtYWN0aXZhdGlvbgogICA7OyBBY3RpdmF0aW9uIGdleHAuCi0gICh3aXRoLWltcG9ydGVkLW1v ZHVsZXMgJygoZ3VpeCBidWlsZCB1dGlscykpCisgICh3aXRoLWltcG9ydGVkLW1vZHVsZXMgKHNv dXJjZS1tb2R1bGUtY2xvc3VyZSAnKChndWl4IGJ1aWxkIHNlcnZpY2UtdXRpbHMpCisgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChndWl4IGJ1aWxkIHV0 aWxzKSkpCiAgICAgI34oYmVnaW4KLSAgICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxkIHV0 aWxzKSkKLSAgICAgICAgKGRlZmluZSAobWtkaXItcC9wZXJtcyBkaXJlY3Rvcnkgb3duZXIgcGVy bXMpCi0gICAgICAgICAgKG1rZGlyLXAgZGlyZWN0b3J5KQotICAgICAgICAgIChjaG93biBkaXJl Y3RvcnkgKHBhc3N3ZDp1aWQgb3duZXIpIChwYXNzd2Q6Z2lkIG93bmVyKSkKLSAgICAgICAgICAo Y2htb2QgZGlyZWN0b3J5IHBlcm1zKSkKKyAgICAgICAgKHVzZS1tb2R1bGVzIChndWl4IGJ1aWxk IHNlcnZpY2UtdXRpbHMpCisgICAgICAgICAgICAgICAgICAgICAoZ3VpeCBidWlsZCB1dGlscykp CiAgICAgICAgIChkZWZpbmUgKGJ1aWxkLXN1YmplY3QgcGFyYW1ldGVycykKICAgICAgICAgICAo c3RyaW5nLWNvbmNhdGVuYXRlCiAgICAgICAgICAgIChtYXAgKGxhbWJkYSAocGFpcikKZGlmZiAt LWdpdCBhL2dudS9zZXJ2aWNlcy9kYnVzLnNjbSBiL2dudS9zZXJ2aWNlcy9kYnVzLnNjbQppbmRl eCBlMDE1ZDNmNjhkLi5iYjg0MGU3MTY3IDEwMDY0NAotLS0gYS9nbnUvc2VydmljZXMvZGJ1cy5z Y20KKysrIGIvZ251L3NlcnZpY2VzL2RidXMuc2NtCkBAIC0xLDYgKzEsNyBAQAogOzs7IEdOVSBH dWl4IC0tLSBGdW5jdGlvbmFsIHBhY2thZ2UgbWFuYWdlbWVudCBmb3IgR05VCiA7OzsgQ29weXJp Z2h0IMKpIDIwMTMsIDIwMTQsIDIwMTUsIDIwMTYsIDIwMTcsIDIwMTksIDIwMjAgTHVkb3ZpYyBD b3VydMOocyA8bHVkb0BnbnUub3JnPgogOzs7IENvcHlyaWdodCDCqSAyMDE1IFNvdSBCdW5uYnUg PGl5enNvbmdAZ21haWwuY29tPgorOzs7IENvcHlyaWdodCDCqSAyMDIxIE1heGltZSBEZXZvcyA8 bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT4KIDs7OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdO VSBHdWl4LgogOzs7CkBAIC0xNjEsMjQgKzE2MiwyMyBAQCBpbmNsdWRlcyB0aGUgQGNvZGV7ZXRj L2RidXMtMS9zeXN0ZW0uZH0gZGlyZWN0b3JpZXMgb2YgZWFjaCBwYWNrYWdlIGxpc3RlZCBpbgog CiAoZGVmaW5lIChkYnVzLWFjdGl2YXRpb24gY29uZmlnKQogICAiUmV0dXJuIGFuIGFjdGl2YXRp b24gZ2V4cCBmb3IgRC1CdXMgdXNpbmcgQHZhcntjb25maWd9LiIKLSAgI34oYmVnaW4KLSAgICAg ICh1c2UtbW9kdWxlcyAoZ3VpeCBidWlsZCB1dGlscykpCi0KLSAgICAgIChta2Rpci1wICIvdmFy L3J1bi9kYnVzIikKLQotICAgICAgKGxldCAoKHVzZXIgKGdldHB3bmFtICJtZXNzYWdlYnVzIikp KQotICAgICAgICAoY2hvd24gIi92YXIvcnVuL2RidXMiCi0gICAgICAgICAgICAgICAocGFzc3dk OnVpZCB1c2VyKSAocGFzc3dkOmdpZCB1c2VyKSkKLQotICAgICAgICA7OyBUaGlzIGRpcmVjdG9y eSBjb250YWlucyB0aGUgZGFlbW9uJ3Mgc29ja2V0IHNvIGl0IG11c3QgYmUKLSAgICAgICAgOzsg d29ybGQtcmVhZGFibGUuCi0gICAgICAgIChjaG1vZCAiL3Zhci9ydW4vZGJ1cyIgI283NTUpKQot Ci0gICAgICAodW5sZXNzIChmaWxlLWV4aXN0cz8gIi9ldGMvbWFjaGluZS1pZCIpCi0gICAgICAg IChmb3JtYXQgI3QgImNyZWF0aW5nIC9ldGMvbWFjaGluZS1pZC4uLn4lIikKLSAgICAgICAgKGlu dm9rZSAoc3RyaW5nLWFwcGVuZCAjJChkYnVzLWNvbmZpZ3VyYXRpb24tZGJ1cyBjb25maWcpCi0g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi9iaW4vZGJ1cy11dWlkZ2VuIikKLSAgICAg ICAgICAgICAgICAiLS1lbnN1cmU9L2V0Yy9tYWNoaW5lLWlkIikpKSkKKyAgKHdpdGgtaW1wb3J0 ZWQtbW9kdWxlcyAoc291cmNlLW1vZHVsZS1jbG9zdXJlCisgICAgICAgICAgICAgICAgICAgICAg ICAgICcoKGd1aXggYnVpbGQgc2VydmljZS11dGlscykKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAoZ3VpeCBidWlsZCB1dGlscykpKQorICAgICN+KGJlZ2luCisgICAgICAgICh1c2UtbW9k dWxlcyAoZ3VpeCBidWlsZCBzZXJ2aWNlLXV0aWxzKQorICAgICAgICAgICAgICAgICAgICAgKGd1 aXggYnVpbGQgdXRpbHMpKQorCisgICAgICAgIChsZXQgKCh1c2VyIChnZXRwd25hbSAibWVzc2Fn ZWJ1cyIpKSkKKyAgICAgICAgICA7OyBUaGlzIGRpcmVjdG9yeSBjb250YWlucyB0aGUgZGFlbW9u J3Mgc29ja2V0IHNvIGl0IG11c3QgYmUKKyAgICAgICAgICA7OyB3b3JsZC1yZWFkYWJsZS4KKyAg ICAgICAgICAobWtkaXItcC9wZXJtcyAiL3Zhci9ydW4vZGJ1cyIgdXNlciAjbzc1NSkpCisKKyAg ICAgICAgKHVubGVzcyAoZmlsZS1leGlzdHM/ICIvZXRjL21hY2hpbmUtaWQiKQorICAgICAgICAg IChmb3JtYXQgI3QgImNyZWF0aW5nIC9ldGMvbWFjaGluZS1pZC4uLn4lIikKKyAgICAgICAgICAo aW52b2tlIChzdHJpbmctYXBwZW5kICMkKGRidXMtY29uZmlndXJhdGlvbi1kYnVzIGNvbmZpZykK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIvYmluL2RidXMtdXVpZGdlbiIpCisg ICAgICAgICAgICAgICAgICAiLS1lbnN1cmU9L2V0Yy9tYWNoaW5lLWlkIikpKSkpCiAKIChkZWZp bmUgZGJ1cy1zaGVwaGVyZC1zZXJ2aWNlCiAgIChtYXRjaC1sYW1iZGEKZGlmZiAtLWdpdCBhL2du dS9zZXJ2aWNlcy9kbnMuc2NtIGIvZ251L3NlcnZpY2VzL2Rucy5zY20KaW5kZXggZDRhZWZlNjI4 NS4uMmM0MTNiNjAwNCAxMDA2NDQKLS0tIGEvZ251L3NlcnZpY2VzL2Rucy5zY20KKysrIGIvZ251 L3NlcnZpY2VzL2Rucy5zY20KQEAgLTIsNiArMiw3IEBACiA7OzsgQ29weXJpZ2h0IMKpIDIwMTcg SnVsaWVuIExlcGlsbGVyIDxqdWxpZW5AbGVwaWxsZXIuZXU+CiA7OzsgQ29weXJpZ2h0IMKpIDIw MTggT2xlZyBQeWtoYWxvdiA8Z28ud2lndXN0QGdtYWlsLmNvbT4KIDs7OyBDb3B5cmlnaHQgwqkg MjAyMCBQaWVycmUgTGFuZ2xvaXMgPHBpZXJyZS5sYW5nbG9pc0BnbXguY29tPgorOzs7IENvcHly aWdodCDCqSAyMDIxIE1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT4KIDs7Owog Ozs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdOVSBHdWl4LgogOzs7CkBAIC02MDcsMTcgKzYwOCwx NCBAQAogICAgICAgICAgIChzaGVsbCAoZmlsZS1hcHBlbmQgc2hhZG93ICIvc2Jpbi9ub2xvZ2lu IikpKSkpCiAKIChkZWZpbmUgKGtub3QtYWN0aXZhdGlvbiBjb25maWcpCi0gICN+KGJlZ2luCi0g ICAgICAodXNlLW1vZHVsZXMgKGd1aXggYnVpbGQgdXRpbHMpKQotICAgICAgKGRlZmluZSAobWtk aXItcC9wZXJtcyBkaXJlY3Rvcnkgb3duZXIgcGVybXMpCi0gICAgICAgIChta2Rpci1wIGRpcmVj dG9yeSkKLSAgICAgICAgKGNob3duIGRpcmVjdG9yeSAocGFzc3dkOnVpZCBvd25lcikgKHBhc3N3 ZDpnaWQgb3duZXIpKQotICAgICAgICAoY2htb2QgZGlyZWN0b3J5IHBlcm1zKSkKLSAgICAgICht a2Rpci1wL3Blcm1zICMkKGtub3QtY29uZmlndXJhdGlvbi1ydW4tZGlyZWN0b3J5IGNvbmZpZykK LSAgICAgICAgICAgICAgICAgICAgIChnZXRwd25hbSAia25vdCIpICNvNzU1KQotICAgICAgKG1r ZGlyLXAvcGVybXMgIi92YXIvbGliL2tub3QiIChnZXRwd25hbSAia25vdCIpICNvNzU1KQotICAg ICAgKG1rZGlyLXAvcGVybXMgIi92YXIvbGliL2tub3Qva2V5cyIgKGdldHB3bmFtICJrbm90Iikg I283NTUpCi0gICAgICAobWtkaXItcC9wZXJtcyAiL3Zhci9saWIva25vdC9rZXlzL2tleXMiIChn ZXRwd25hbSAia25vdCIpICNvNzU1KSkpCisgICh3aXRoLWltcG9ydGVkLW1vZHVsZXMgKHNvdXJj ZS1tb2R1bGUtY2xvc3VyZSAnKChndWl4IGJ1aWxkIHNlcnZpY2UtdXRpbHMpKSkKKyAgICAjfihi ZWdpbgorICAgICAgICAodXNlLW1vZHVsZXMgKGd1aXggYnVpbGQgc2VydmljZS11dGlscykpCisg ICAgICAgIChta2Rpci1wL3Blcm1zICMkKGtub3QtY29uZmlndXJhdGlvbi1ydW4tZGlyZWN0b3J5 IGNvbmZpZykKKyAgICAgICAgICAgICAgICAgICAgICAgKGdldHB3bmFtICJrbm90IikgI283NTUp CisgICAgICAgIChta2Rpci1wL3Blcm1zICIvdmFyL2xpYi9rbm90IiAoZ2V0cHduYW0gImtub3Qi KSAjbzc1NSkKKyAgICAgICAgKG1rZGlyLXAvcGVybXMgIi92YXIvbGliL2tub3Qva2V5cyIgKGdl dHB3bmFtICJrbm90IikgI283NTUpCisgICAgICAgIChta2Rpci1wL3Blcm1zICIvdmFyL2xpYi9r bm90L2tleXMva2V5cyIgKGdldHB3bmFtICJrbm90IikgI283NTUpKSkpCiAKIChkZWZpbmUgKGtu b3Qtc2hlcGhlcmQtc2VydmljZSBjb25maWcpCiAgIChsZXQqICgoY29uZmlnLWZpbGUgKGtub3Qt Y29uZmlnLWZpbGUgY29uZmlnKSkKZGlmZiAtLWdpdCBhL2d1aXgvYnVpbGQvc2VydmljZS11dGls cy5zY20gYi9ndWl4L2J1aWxkL3NlcnZpY2UtdXRpbHMuc2NtCm5ldyBmaWxlIG1vZGUgMTAwNjQ0 CmluZGV4IDAwMDAwMDAwMDAuLjBlYmRiM2YyOTAKLS0tIC9kZXYvbnVsbAorKysgYi9ndWl4L2J1 aWxkL3NlcnZpY2UtdXRpbHMuc2NtCkBAIC0wLDAgKzEsNjYgQEAKKzs7OyBHTlUgR3VpeCAtLS0g RnVuY3Rpb25hbCBwYWNrYWdlIG1hbmFnZW1lbnQgZm9yIEdOVQorOzs7IENvcHlyaWdodCDCqSAy MDEyLCAyMDEzLCAyMDE0LCAyMDE1LCAyMDE2LCAyMDE3LCAyMDE4LCAyMDE5IEx1ZG92aWMgQ291 cnTDqHMgPGx1ZG9AZ251Lm9yZz4KKzs7OyBDb3B5cmlnaHQgwqkgMjAxMyBBbmRyZWFzIEVuZ2Ug PGFuZHJlYXNAZW5nZS5mcj4KKzs7OyBDb3B5cmlnaHQgwqkgMjAxMyBOaWtpdGEgS2FyZXRuaWtv diA8bmlraXRhQGthcmV0bmlrb3Yub3JnPgorOzs7IENvcHlyaWdodCDCqSAyMDE1LCAyMDE4IE1h cmsgSCBXZWF2ZXIgPG1od0BuZXRyaXMub3JnPgorOzs7IENvcHlyaWdodCDCqSAyMDE4IEFydW4g SXNhYWMgPGFydW5pc2FhY0BzeXN0ZW1yZWJvb3QubmV0PgorOzs7IENvcHlyaWdodCDCqSAyMDE4 LCAyMDE5IFJpY2FyZG8gV3VybXVzIDxyZWthZG9AZWxlcGhseS5uZXQ+Cis7OzsKKzs7OyBUaGlz IGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4KKzs7OworOzs7IEdOVSBHdWl4IGlzIGZyZWUgc29m dHdhcmU7IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkgaXQKKzs7OyB1bmRl ciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hl ZCBieQorOzs7IHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2ZXJzaW9uIDMg b2YgdGhlIExpY2Vuc2UsIG9yIChhdAorOzs7IHlvdXIgb3B0aW9uKSBhbnkgbGF0ZXIgdmVyc2lv bi4KKzs7OworOzs7IEdOVSBHdWl4IGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQg d2lsbCBiZSB1c2VmdWwsIGJ1dAorOzs7IFdJVEhPVVQgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2 ZW4gdGhlIGltcGxpZWQgd2FycmFudHkgb2YKKzs7OyBNRVJDSEFOVEFCSUxJVFkgb3IgRklUTkVT UyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlCis7OzsgR05VIEdlbmVyYWwgUHVi bGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KKzs7OworOzs7IFlvdSBzaG91bGQgaGF2ZSBy ZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlCis7OzsgYWxv bmcgd2l0aCBHTlUgR3VpeC4gIElmIG5vdCwgc2VlIDxodHRwOi8vd3d3LmdudS5vcmcvbGljZW5z ZXMvPi4KKworKGRlZmluZS1tb2R1bGUgKGd1aXggYnVpbGQgc2VydmljZS11dGlscykKKyAgIzp1 c2UtbW9kdWxlIChpY2UtOSBtYXRjaCkKKyAgIzp1c2UtbW9kdWxlIChndWl4IGJ1aWxkIHV0aWxz KQorICAjOmV4cG9ydCAobWtkaXItcC9wZXJtcykpCisKKzs7IEJhc2VkIHVwb24gbWtkaXItcCBm cm9tIChndWl4IGJ1aWxkIHV0aWxzKQorKGRlZmluZSAodmVyaWZ5LW5vdC1zeW1ib2xpYyBkaXIp CisgICJWZXJpZnkgRElSIG9yIGl0cyBhbmNlc3RvcnMgYXJlbid0IHN5bWJvbGljIGxpbmtzLiIK KyAgKGRlZmluZSBhYnNvbHV0ZT8KKyAgICAoc3RyaW5nLXByZWZpeD8gIi8iIGRpcikpCisKKyAg KGRlZmluZSBub3Qtc2xhc2gKKyAgICAoY2hhci1zZXQtY29tcGxlbWVudCAoY2hhci1zZXQgI1wv KSkpCisKKyAgKGRlZmluZSAodmVyaWZ5LWNvbXBvbmVudCBwYXRoKQorICAgICh3aGVuIChlcT8g J3N5bWxpbmsgKHN0YXQ6dHlwZSAobHN0YXQgcGF0aCkpKQorICAgICAgKHRocm93ICdYWFgtVE9E Ty1kb2VzLXNvbWVvbmUtaGF2ZS1hbi1pZGVhPyBwYXRoKSkpCisKKyAgKGxldCBsb29wICgoY29t cG9uZW50cyAoc3RyaW5nLXRva2VuaXplIGRpciBub3Qtc2xhc2gpKQorICAgICAgICAgICAgIChy b290ICAgICAgIChpZiBhYnNvbHV0ZT8KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiIK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi4iKSkpCisgICAgKG1hdGNoIGNvbXBvbmVu dHMKKyAgICAgICgoaGVhZCB0YWlsIC4uLikKKyAgICAgICAobGV0ICgocGF0aCAoc3RyaW5nLWFw cGVuZCByb290ICIvIiBoZWFkKSkpCisgICAgICAgICAoY2F0Y2ggJ3N5c3RlbS1lcnJvcgorICAg ICAgICAgICAobGFtYmRhICgpCisgICAgICAgICAgICAgKHZlcmlmeS1jb21wb25lbnQgcGF0aCkK KyAgICAgICAgICAgICAobG9vcCB0YWlsIHBhdGgpKQorICAgICAgICAgICAobGFtYmRhIGFyZ3MK KyAgICAgICAgICAgICAoaWYgKD0gRU5PRU5UIChzeXN0ZW0tZXJyb3ItZXJybm8gYXJncykpCisg ICAgICAgICAgICAgICAgICN0CisgICAgICAgICAgICAgICAgIChhcHBseSB0aHJvdyBhcmdzKSkp KSkpCisgICAgICAoKCkgI3QpKSkpCisKKyhkZWZpbmUgKG1rZGlyLXAvcGVybXMgZGlyZWN0b3J5 IG93bmVyIGJpdHMpCisgICJDcmVhdGUgdGhlIGRpcmVjdG9yeSBESVJFQ1RPUlkgYW5kIGFsbCBp dHMgYW5jZXN0b3JzLgorVmVyaWZ5IG5vIGNvbXBvbmVudCBvZiBESVJFQ1RPUlkgaXMgYSBzeW1i b2xpYyBsaW5rLgorV2FybmluZzogdGhpcyBpcyBjdXJyZW50bHkgc3VzcGVjdCB0byBhIFRPQ1RP VSByYWNlISIKKyAgKHZlcmlmeS1ub3Qtc3ltYm9saWMgZGlyZWN0b3J5KQorICAobWtkaXItcCBk aXJlY3RvcnkpCisgIChjaG93biBkaXJlY3RvcnkgKHBhc3N3ZDp1aWQgb3duZXIpIChwYXNzd2Q6 Z2lkIG93bmVyKSkKKyAgKGNobW9kIGRpcmVjdG9yeSBiaXRzKSkKLS0gCjIuMzAuMAoK --=-RvELiP5+lzPjfTSJNITt-- --=-JDZ00885fEAuXAWAcnVm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYCkXqRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sV6AP9NjoCmunyjI2Rt2IP6jTa3Kgu9 +j3Hv7SvThtFJB9pmwEAjNnnyNlqB+jjvJdIx3BqDyT/9TWXRhuA/uouKEt87QI= =9cTf -----END PGP SIGNATURE----- --=-JDZ00885fEAuXAWAcnVm--