Site Navigation

Date:      Sat, 2 Jun 2012 01:57:09 -0400
From:      Eitan Adler <lists@eitanadler.com>
To:        ruby@freebsd.org
Cc:        ports-security@freebsd.org
Subject:   Fwd: [oss-security] SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2661)
Message-ID:  <CAF6rxgkjOT5eX%2Bch56QwkRpKQ73cVoCbYrweN5AGR5BJ2femkg@mail.gmail.com>
In-Reply-To: <20120531191656.GC79783@higgins.local>
References:  <20120531191656.GC79783@higgins.local>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--e89a8f5028ee85848004c176faf0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

A vulnerability has been found in a port you maintain. Please commit
an update and write up a VuXML report. If you need help feel free to
email ports-security@freebsd.org,


---------- Forwarded message ----------
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: 31 May 2012 15:16
Subject: [oss-security] SQL Injection Vulnerability in Ruby on Rails
(CVE-2012-2661)
To: oss-security@lists.openwall.com


SQL Injection Vulnerability in Ruby on Rails

There is a SQL injection vulnerability in Active Record, version 3.0
and later. This vulnerability has been assigned the CVE identifier
CVE-2012-2661.

Versions Affected: =C2=A03.0.0 and ALL later versions
Not affected: =C2=A0 =C2=A0 =C2=A0 2.3.14
Fixed Versions: =C2=A0 =C2=A0 3.2.4, 3.1.5, 3.0.13

Impact
------
Due to the way Active Record handles nested query parameters, an
attacker can use a specially crafted request to inject some forms of
SQL into your application's SQL queries.

All users running an affected release should upgrade immediately.

Impacted code directly passes request params to the `where` method of
an ActiveRecord class like this:

=C2=A0 =C2=A0Post.where(:id =3D> params[:id]).all

An attacker can make a request that causes `params[:id]` to return a
specially crafted hash that will cause the WHERE clause of the SQL
statement to query an arbitrary table with some value.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
This issue can be mitigated by casting the parameter to an expected
value. =C2=A0For example, change this:

=C2=A0 =C2=A0Post.where(:id =3D> params[:id]).all

to this:

=C2=A0 =C2=A0Post.where(:id =3D> params[:id].to_s).all

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. =C2=A0They are in git-am
format and consist of a single changeset. =C2=A0We have also provided a
patch for the 3.0 series despite the fact it is unmaintained.

* 3-0-params_sql_injection.patch - Patch for 3.0 series
* 3-1-params_sql_injection.patch - Patch for 3.1 series
* 3-2-params_sql_injection.patch - Patch for 3.2 series

Please note that only the =C2=A03.1.x and 3.2.x series are supported at
present. =C2=A0Users of earlier unsupported releases are advised to upgrade
as soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
-------

Thanks to Ben Murphy for reporting the vulnerability to us, and to
Chad Pyne of thoughtbot for helping us verify the fix.

--
Aaron Patterson
http://tenderlovemaking.com/


--=20
Eitan Adler

--e89a8f5028ee85848004c176faf0
Content-Type: text/plain; charset=us-ascii;
	name="3-0-params_sql_injection.patch"
Content-Disposition: attachment; filename="3-0-params_sql_injection.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: 57f03449a90b0c04_0.0.1

RnJvbSA5OWYwMzA5MzRlYjgzNDFkYjMzM2NiNjc4M2QwZjQyYmZhNTczNThmIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNTowNjoxMiAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBwcmVkaWNhdGUgYnVpbGRlciBzaG91bGQgbm90IHJlY3Vyc2UgZm9yIGRldGVybWlu
aW5nIHdoZXJlDQogY29sdW1ucy4gVGhhbmtzIHRvIEJlbiBNdXJwaHkgZm9yIHJlcG9ydGluZyB0
aGlzDQoNCkNWRS0yMDEyLTI2NjENCi0tLQ0KIC4uLi9hY3RpdmVfcmVjb3JkL3JlbGF0aW9uL3By
ZWRpY2F0ZV9idWlsZGVyLnJiICAgIHwgICAgNiArKystLS0NCiBhY3RpdmVyZWNvcmQvdGVzdC9j
YXNlcy9yZWxhdGlvbi93aGVyZV90ZXN0LnJiICAgICB8ICAgMTkgKysrKysrKysrKysrKysrKysr
Kw0KIDIgZmlsZXMgY2hhbmdlZCwgMjIgaW5zZXJ0aW9ucygrKSwgMyBkZWxldGlvbnMoLSkNCiBj
cmVhdGUgbW9kZSAxMDA2NDQgYWN0aXZlcmVjb3JkL3Rlc3QvY2FzZXMvcmVsYXRpb24vd2hlcmVf
dGVzdC5yYg0KDQpkaWZmIC0tZ2l0IGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3JkL3Jl
bGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiIGIvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVj
b3JkL3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiDQppbmRleCA1MDVjM2Y0Li44NGU4OGNm
IDEwMDY0NA0KLS0tIGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3JkL3JlbGF0aW9uL3By
ZWRpY2F0ZV9idWlsZGVyLnJiDQorKysgYi9hY3RpdmVyZWNvcmQvbGliL2FjdGl2ZV9yZWNvcmQv
cmVsYXRpb24vcHJlZGljYXRlX2J1aWxkZXIucmINCkBAIC01LDE3ICs1LDE3IEBAIG1vZHVsZSBB
Y3RpdmVSZWNvcmQNCiAgICAgICBAZW5naW5lID0gZW5naW5lDQogICAgIGVuZA0KIA0KLSAgICBk
ZWYgYnVpbGRfZnJvbV9oYXNoKGF0dHJpYnV0ZXMsIGRlZmF1bHRfdGFibGUpDQorICAgIGRlZiBi
dWlsZF9mcm9tX2hhc2goYXR0cmlidXRlcywgZGVmYXVsdF90YWJsZSwgY2hlY2tfY29sdW1uID0g
dHJ1ZSkNCiAgICAgICBwcmVkaWNhdGVzID0gYXR0cmlidXRlcy5tYXAgZG8gfGNvbHVtbiwgdmFs
dWV8DQogICAgICAgICB0YWJsZSA9IGRlZmF1bHRfdGFibGUNCiANCiAgICAgICAgIGlmIHZhbHVl
LmlzX2E/KEhhc2gpDQogICAgICAgICAgIHRhYmxlID0gQXJlbDo6VGFibGUubmV3KGNvbHVtbiwg
OmVuZ2luZSA9PiBAZW5naW5lKQ0KLSAgICAgICAgICBidWlsZF9mcm9tX2hhc2godmFsdWUsIHRh
YmxlKQ0KKyAgICAgICAgICBidWlsZF9mcm9tX2hhc2godmFsdWUsIHRhYmxlLCBmYWxzZSkNCiAg
ICAgICAgIGVsc2UNCiAgICAgICAgICAgY29sdW1uID0gY29sdW1uLnRvX3MNCiANCi0gICAgICAg
ICAgaWYgY29sdW1uLmluY2x1ZGU/KCcuJykNCisgICAgICAgICAgaWYgY2hlY2tfY29sdW1uICYm
IGNvbHVtbi5pbmNsdWRlPygnLicpDQogICAgICAgICAgICAgdGFibGVfbmFtZSwgY29sdW1uID0g
Y29sdW1uLnNwbGl0KCcuJywgMikNCiAgICAgICAgICAgICB0YWJsZSA9IEFyZWw6OlRhYmxlLm5l
dyh0YWJsZV9uYW1lLCA6ZW5naW5lID0+IEBlbmdpbmUpDQogICAgICAgICAgIGVuZA0KZGlmZiAt
LWdpdCBhL2FjdGl2ZXJlY29yZC90ZXN0L2Nhc2VzL3JlbGF0aW9uL3doZXJlX3Rlc3QucmIgYi9h
Y3RpdmVyZWNvcmQvdGVzdC9jYXNlcy9yZWxhdGlvbi93aGVyZV90ZXN0LnJiDQpuZXcgZmlsZSBt
b2RlIDEwMDY0NA0KaW5kZXggMDAwMDAwMC4uOTBjNjkwZQ0KLS0tIC9kZXYvbnVsbA0KKysrIGIv
YWN0aXZlcmVjb3JkL3Rlc3QvY2FzZXMvcmVsYXRpb24vd2hlcmVfdGVzdC5yYg0KQEAgLTAsMCAr
MSwxOSBAQA0KK3JlcXVpcmUgImNhc2VzL2hlbHBlciINCityZXF1aXJlICdtb2RlbHMvcG9zdCcN
CisNCittb2R1bGUgQWN0aXZlUmVjb3JkDQorICBjbGFzcyBXaGVyZVRlc3QgPCBBY3RpdmVSZWNv
cmQ6OlRlc3RDYXNlDQorICAgIGZpeHR1cmVzIDpwb3N0cw0KKw0KKyAgICBkZWYgdGVzdF93aGVy
ZV9lcnJvcg0KKyAgICAgIGFzc2VydF9yYWlzZXMoQWN0aXZlUmVjb3JkOjpTdGF0ZW1lbnRJbnZh
bGlkKSBkbw0KKyAgICAgICAgUG9zdC53aGVyZSg6aWQgPT4geyAncG9zdHMuYXV0aG9yX2lkJyA9
PiAxMCB9KS5maXJzdA0KKyAgICAgIGVuZA0KKyAgICBlbmQNCisNCisgICAgZGVmIHRlc3Rfd2hl
cmVfd2l0aF90YWJsZV9uYW1lDQorICAgICAgcG9zdCA9IFBvc3QuZmlyc3QNCisgICAgICBhc3Nl
cnRfZXF1YWwgcG9zdCwgUG9zdC53aGVyZSg6cG9zdHMgPT4geyAnaWQnID0+IHBvc3QuaWQgfSku
Zmlyc3QNCisgICAgZW5kDQorICBlbmQNCitlbmQNCi0tIA0KMS43LjUuNA0KDQo=
--e89a8f5028ee85848004c176faf0
Content-Type: text/plain; charset=us-ascii;
	name="3-1-params_sql_injection.patch"
Content-Disposition: attachment; filename="3-1-params_sql_injection.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: 57f03449a90b0c04_0.0.2

RnJvbSBiNzFkNGFiOWQ3ZDYxZWJlMzQxMWE4NzU0ZTlmZTkzZDM1ODc3MDRlIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNTowNToxOSAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBwcmVkaWNhdGUgYnVpbGRlciBzaG91bGQgbm90IHJlY3Vyc2UgZm9yIGRldGVybWlu
aW5nIHdoZXJlDQogY29sdW1ucy4gVGhhbmtzIHRvIEJlbiBNdXJwaHkgZm9yIHJlcG9ydGluZyB0
aGlzDQoNCkNWRS0yMDEyLTI2NjENCi0tLQ0KIC4uLi9hc3NvY2lhdGlvbnMvYXNzb2NpYXRpb25f
c2NvcGUucmIgICAgICAgICAgICAgIHwgICAxNyArKysrKysrKysrKysrKysrLQ0KIC4uLi9hY3Rp
dmVfcmVjb3JkL3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiICAgIHwgICAgNiArKystLS0N
CiBhY3RpdmVyZWNvcmQvdGVzdC9jYXNlcy9yZWxhdGlvbi93aGVyZV90ZXN0LnJiICAgICB8ICAg
MTkgKysrKysrKysrKysrKysrKysrKw0KIDMgZmlsZXMgY2hhbmdlZCwgMzggaW5zZXJ0aW9ucygr
KSwgNCBkZWxldGlvbnMoLSkNCiBjcmVhdGUgbW9kZSAxMDA2NDQgYWN0aXZlcmVjb3JkL3Rlc3Qv
Y2FzZXMvcmVsYXRpb24vd2hlcmVfdGVzdC5yYg0KDQpkaWZmIC0tZ2l0IGEvYWN0aXZlcmVjb3Jk
L2xpYi9hY3RpdmVfcmVjb3JkL2Fzc29jaWF0aW9ucy9hc3NvY2lhdGlvbl9zY29wZS5yYiBiL2Fj
dGl2ZXJlY29yZC9saWIvYWN0aXZlX3JlY29yZC9hc3NvY2lhdGlvbnMvYXNzb2NpYXRpb25fc2Nv
cGUucmINCmluZGV4IDZjYzQwMWUuLjhlMWRmMzUgMTAwNjQ0DQotLS0gYS9hY3RpdmVyZWNvcmQv
bGliL2FjdGl2ZV9yZWNvcmQvYXNzb2NpYXRpb25zL2Fzc29jaWF0aW9uX3Njb3BlLnJiDQorKysg
Yi9hY3RpdmVyZWNvcmQvbGliL2FjdGl2ZV9yZWNvcmQvYXNzb2NpYXRpb25zL2Fzc29jaWF0aW9u
X3Njb3BlLnJiDQpAQCAtODcsNyArODcsNyBAQCBtb2R1bGUgQWN0aXZlUmVjb3JkDQogDQogICAg
ICAgICAgICAgY29uZGl0aW9ucy5lYWNoIGRvIHxjb25kaXRpb258DQogICAgICAgICAgICAgICBp
ZiBvcHRpb25zWzp0aHJvdWdoXSAmJiBjb25kaXRpb24uaXNfYT8oSGFzaCkNCi0gICAgICAgICAg
ICAgICAgY29uZGl0aW9uID0geyB0YWJsZS5uYW1lID0+IGNvbmRpdGlvbiB9DQorICAgICAgICAg
ICAgICAgIGNvbmRpdGlvbiA9IGRpc2FtYmlndWF0ZV9jb25kaXRpb24odGFibGUsIGNvbmRpdGlv
bikNCiAgICAgICAgICAgICAgIGVuZA0KIA0KICAgICAgICAgICAgICAgc2NvcGUgPSBzY29wZS53
aGVyZShpbnRlcnBvbGF0ZShjb25kaXRpb24pKQ0KQEAgLTEyNiw2ICsxMjYsMjEgQEAgbW9kdWxl
IEFjdGl2ZVJlY29yZA0KICAgICAgICAgZW5kDQogICAgICAgZW5kDQogDQorICAgICAgZGVmIGRp
c2FtYmlndWF0ZV9jb25kaXRpb24odGFibGUsIGNvbmRpdGlvbikNCisgICAgICAgIGlmIGNvbmRp
dGlvbi5pc19hPyhIYXNoKQ0KKyAgICAgICAgICBIYXNoWw0KKyAgICAgICAgICAgIGNvbmRpdGlv
bi5tYXAgZG8gfGssIHZ8DQorICAgICAgICAgICAgICBpZiB2LmlzX2E/KEhhc2gpDQorICAgICAg
ICAgICAgICAgIFtrLCB2XQ0KKyAgICAgICAgICAgICAgZWxzZQ0KKyAgICAgICAgICAgICAgICBb
dGFibGUudGFibGVfYWxpYXMgfHwgdGFibGUubmFtZSwgeyBrID0+IHYgfV0NCisgICAgICAgICAg
ICAgIGVuZA0KKyAgICAgICAgICAgIGVuZA0KKyAgICAgICAgICBdDQorICAgICAgICBlbHNlDQor
ICAgICAgICAgIGNvbmRpdGlvbg0KKyAgICAgICAgZW5kDQorICAgICAgZW5kDQogICAgIGVuZA0K
ICAgZW5kDQogZW5kDQpkaWZmIC0tZ2l0IGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3Jk
L3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiIGIvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVf
cmVjb3JkL3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiDQppbmRleCA3ZThkZGQxLi4wZTQz
NmU4IDEwMDY0NA0KLS0tIGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3JkL3JlbGF0aW9u
L3ByZWRpY2F0ZV9idWlsZGVyLnJiDQorKysgYi9hY3RpdmVyZWNvcmQvbGliL2FjdGl2ZV9yZWNv
cmQvcmVsYXRpb24vcHJlZGljYXRlX2J1aWxkZXIucmINCkBAIC0xLDE2ICsxLDE2IEBADQogbW9k
dWxlIEFjdGl2ZVJlY29yZA0KICAgY2xhc3MgUHJlZGljYXRlQnVpbGRlciAjIDpub2RvYzoNCi0g
ICAgZGVmIHNlbGYuYnVpbGRfZnJvbV9oYXNoKGVuZ2luZSwgYXR0cmlidXRlcywgZGVmYXVsdF90
YWJsZSkNCisgICAgZGVmIHNlbGYuYnVpbGRfZnJvbV9oYXNoKGVuZ2luZSwgYXR0cmlidXRlcywg
ZGVmYXVsdF90YWJsZSwgY2hlY2tfY29sdW1uID0gdHJ1ZSkNCiAgICAgICBwcmVkaWNhdGVzID0g
YXR0cmlidXRlcy5tYXAgZG8gfGNvbHVtbiwgdmFsdWV8DQogICAgICAgICB0YWJsZSA9IGRlZmF1
bHRfdGFibGUNCiANCiAgICAgICAgIGlmIHZhbHVlLmlzX2E/KEhhc2gpDQogICAgICAgICAgIHRh
YmxlID0gQXJlbDo6VGFibGUubmV3KGNvbHVtbiwgZW5naW5lKQ0KLSAgICAgICAgICBidWlsZF9m
cm9tX2hhc2goZW5naW5lLCB2YWx1ZSwgdGFibGUpDQorICAgICAgICAgIGJ1aWxkX2Zyb21faGFz
aChlbmdpbmUsIHZhbHVlLCB0YWJsZSwgZmFsc2UpDQogICAgICAgICBlbHNlDQogICAgICAgICAg
IGNvbHVtbiA9IGNvbHVtbi50b19zDQogDQotICAgICAgICAgIGlmIGNvbHVtbi5pbmNsdWRlPygn
LicpDQorICAgICAgICAgIGlmIGNoZWNrX2NvbHVtbiAmJiBjb2x1bW4uaW5jbHVkZT8oJy4nKQ0K
ICAgICAgICAgICAgIHRhYmxlX25hbWUsIGNvbHVtbiA9IGNvbHVtbi5zcGxpdCgnLicsIDIpDQog
ICAgICAgICAgICAgdGFibGUgPSBBcmVsOjpUYWJsZS5uZXcodGFibGVfbmFtZSwgZW5naW5lKQ0K
ICAgICAgICAgICBlbmQNCmRpZmYgLS1naXQgYS9hY3RpdmVyZWNvcmQvdGVzdC9jYXNlcy9yZWxh
dGlvbi93aGVyZV90ZXN0LnJiIGIvYWN0aXZlcmVjb3JkL3Rlc3QvY2FzZXMvcmVsYXRpb24vd2hl
cmVfdGVzdC5yYg0KbmV3IGZpbGUgbW9kZSAxMDA2NDQNCmluZGV4IDAwMDAwMDAuLjkwYzY5MGUN
Ci0tLSAvZGV2L251bGwNCisrKyBiL2FjdGl2ZXJlY29yZC90ZXN0L2Nhc2VzL3JlbGF0aW9uL3do
ZXJlX3Rlc3QucmINCkBAIC0wLDAgKzEsMTkgQEANCityZXF1aXJlICJjYXNlcy9oZWxwZXIiDQor
cmVxdWlyZSAnbW9kZWxzL3Bvc3QnDQorDQorbW9kdWxlIEFjdGl2ZVJlY29yZA0KKyAgY2xhc3Mg
V2hlcmVUZXN0IDwgQWN0aXZlUmVjb3JkOjpUZXN0Q2FzZQ0KKyAgICBmaXh0dXJlcyA6cG9zdHMN
CisNCisgICAgZGVmIHRlc3Rfd2hlcmVfZXJyb3INCisgICAgICBhc3NlcnRfcmFpc2VzKEFjdGl2
ZVJlY29yZDo6U3RhdGVtZW50SW52YWxpZCkgZG8NCisgICAgICAgIFBvc3Qud2hlcmUoOmlkID0+
IHsgJ3Bvc3RzLmF1dGhvcl9pZCcgPT4gMTAgfSkuZmlyc3QNCisgICAgICBlbmQNCisgICAgZW5k
DQorDQorICAgIGRlZiB0ZXN0X3doZXJlX3dpdGhfdGFibGVfbmFtZQ0KKyAgICAgIHBvc3QgPSBQ
b3N0LmZpcnN0DQorICAgICAgYXNzZXJ0X2VxdWFsIHBvc3QsIFBvc3Qud2hlcmUoOnBvc3RzID0+
IHsgJ2lkJyA9PiBwb3N0LmlkIH0pLmZpcnN0DQorICAgIGVuZA0KKyAgZW5kDQorZW5kDQotLSAN
CjEuNy41LjQNCg0K
--e89a8f5028ee85848004c176faf0
Content-Type: text/plain; charset=us-ascii;
	name="3-2-params_sql_injection.patch"
Content-Disposition: attachment; filename="3-2-params_sql_injection.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: 57f03449a90b0c04_0.0.3

RnJvbSA3MWY3OTE3YzU1M2NkYzlhMGVlNDllODdhZjBlZmI3NDI5NzU5NzE4IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNTowNDoxMSAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBwcmVkaWNhdGUgYnVpbGRlciBzaG91bGQgbm90IHJlY3Vyc2UgZm9yIGRldGVybWlu
aW5nIHdoZXJlDQogY29sdW1ucy4gVGhhbmtzIHRvIEJlbiBNdXJwaHkgZm9yIHJlcG9ydGluZyB0
aGlzDQoNCkNWRS0yMDEyLTI2NjENCi0tLQ0KIC4uLi9hc3NvY2lhdGlvbnMvYXNzb2NpYXRpb25f
c2NvcGUucmIgICAgICAgICAgICAgIHwgICAxNyArKysrKysrKysrKysrKysrLQ0KIC4uLi9hY3Rp
dmVfcmVjb3JkL3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiICAgIHwgICAgNiArKystLS0N
CiBhY3RpdmVyZWNvcmQvdGVzdC9jYXNlcy9yZWxhdGlvbi93aGVyZV90ZXN0LnJiICAgICB8ICAg
MTkgKysrKysrKysrKysrKysrKysrKw0KIDMgZmlsZXMgY2hhbmdlZCwgMzggaW5zZXJ0aW9ucygr
KSwgNCBkZWxldGlvbnMoLSkNCiBjcmVhdGUgbW9kZSAxMDA2NDQgYWN0aXZlcmVjb3JkL3Rlc3Qv
Y2FzZXMvcmVsYXRpb24vd2hlcmVfdGVzdC5yYg0KDQpkaWZmIC0tZ2l0IGEvYWN0aXZlcmVjb3Jk
L2xpYi9hY3RpdmVfcmVjb3JkL2Fzc29jaWF0aW9ucy9hc3NvY2lhdGlvbl9zY29wZS5yYiBiL2Fj
dGl2ZXJlY29yZC9saWIvYWN0aXZlX3JlY29yZC9hc3NvY2lhdGlvbnMvYXNzb2NpYXRpb25fc2Nv
cGUucmINCmluZGV4IGIzODE5ZTMuLmY5Y2ZmYTQgMTAwNjQ0DQotLS0gYS9hY3RpdmVyZWNvcmQv
bGliL2FjdGl2ZV9yZWNvcmQvYXNzb2NpYXRpb25zL2Fzc29jaWF0aW9uX3Njb3BlLnJiDQorKysg
Yi9hY3RpdmVyZWNvcmQvbGliL2FjdGl2ZV9yZWNvcmQvYXNzb2NpYXRpb25zL2Fzc29jaWF0aW9u
X3Njb3BlLnJiDQpAQCAtNzUsNyArNzUsNyBAQCBtb2R1bGUgQWN0aXZlUmVjb3JkDQogDQogICAg
ICAgICAgICAgY29uZGl0aW9ucy5lYWNoIGRvIHxjb25kaXRpb258DQogICAgICAgICAgICAgICBp
ZiBvcHRpb25zWzp0aHJvdWdoXSAmJiBjb25kaXRpb24uaXNfYT8oSGFzaCkNCi0gICAgICAgICAg
ICAgICAgY29uZGl0aW9uID0geyB0YWJsZS5uYW1lID0+IGNvbmRpdGlvbiB9DQorICAgICAgICAg
ICAgICAgIGNvbmRpdGlvbiA9IGRpc2FtYmlndWF0ZV9jb25kaXRpb24odGFibGUsIGNvbmRpdGlv
bikNCiAgICAgICAgICAgICAgIGVuZA0KIA0KICAgICAgICAgICAgICAgc2NvcGUgPSBzY29wZS53
aGVyZShpbnRlcnBvbGF0ZShjb25kaXRpb24pKQ0KQEAgLTExNCw2ICsxMTQsMjEgQEAgbW9kdWxl
IEFjdGl2ZVJlY29yZA0KICAgICAgICAgZW5kDQogICAgICAgZW5kDQogDQorICAgICAgZGVmIGRp
c2FtYmlndWF0ZV9jb25kaXRpb24odGFibGUsIGNvbmRpdGlvbikNCisgICAgICAgIGlmIGNvbmRp
dGlvbi5pc19hPyhIYXNoKQ0KKyAgICAgICAgICBIYXNoWw0KKyAgICAgICAgICAgIGNvbmRpdGlv
bi5tYXAgZG8gfGssIHZ8DQorICAgICAgICAgICAgICBpZiB2LmlzX2E/KEhhc2gpDQorICAgICAg
ICAgICAgICAgIFtrLCB2XQ0KKyAgICAgICAgICAgICAgZWxzZQ0KKyAgICAgICAgICAgICAgICBb
dGFibGUudGFibGVfYWxpYXMgfHwgdGFibGUubmFtZSwgeyBrID0+IHYgfV0NCisgICAgICAgICAg
ICAgIGVuZA0KKyAgICAgICAgICAgIGVuZA0KKyAgICAgICAgICBdDQorICAgICAgICBlbHNlDQor
ICAgICAgICAgIGNvbmRpdGlvbg0KKyAgICAgICAgZW5kDQorICAgICAgZW5kDQogICAgIGVuZA0K
ICAgZW5kDQogZW5kDQpkaWZmIC0tZ2l0IGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3Jk
L3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiIGIvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVf
cmVjb3JkL3JlbGF0aW9uL3ByZWRpY2F0ZV9idWlsZGVyLnJiDQppbmRleCBhNzg5ZjQ4Li45Yzg0
ZDhhIDEwMDY0NA0KLS0tIGEvYWN0aXZlcmVjb3JkL2xpYi9hY3RpdmVfcmVjb3JkL3JlbGF0aW9u
L3ByZWRpY2F0ZV9idWlsZGVyLnJiDQorKysgYi9hY3RpdmVyZWNvcmQvbGliL2FjdGl2ZV9yZWNv
cmQvcmVsYXRpb24vcHJlZGljYXRlX2J1aWxkZXIucmINCkBAIC0xLDE2ICsxLDE2IEBADQogbW9k
dWxlIEFjdGl2ZVJlY29yZA0KICAgY2xhc3MgUHJlZGljYXRlQnVpbGRlciAjIDpub2RvYzoNCi0g
ICAgZGVmIHNlbGYuYnVpbGRfZnJvbV9oYXNoKGVuZ2luZSwgYXR0cmlidXRlcywgZGVmYXVsdF90
YWJsZSkNCisgICAgZGVmIHNlbGYuYnVpbGRfZnJvbV9oYXNoKGVuZ2luZSwgYXR0cmlidXRlcywg
ZGVmYXVsdF90YWJsZSwgY2hlY2tfY29sdW1uID0gdHJ1ZSkNCiAgICAgICBwcmVkaWNhdGVzID0g
YXR0cmlidXRlcy5tYXAgZG8gfGNvbHVtbiwgdmFsdWV8DQogICAgICAgICB0YWJsZSA9IGRlZmF1
bHRfdGFibGUNCiANCiAgICAgICAgIGlmIHZhbHVlLmlzX2E/KEhhc2gpDQogICAgICAgICAgIHRh
YmxlID0gQXJlbDo6VGFibGUubmV3KGNvbHVtbiwgZW5naW5lKQ0KLSAgICAgICAgICBidWlsZF9m
cm9tX2hhc2goZW5naW5lLCB2YWx1ZSwgdGFibGUpDQorICAgICAgICAgIGJ1aWxkX2Zyb21faGFz
aChlbmdpbmUsIHZhbHVlLCB0YWJsZSwgZmFsc2UpDQogICAgICAgICBlbHNlDQogICAgICAgICAg
IGNvbHVtbiA9IGNvbHVtbi50b19zDQogDQotICAgICAgICAgIGlmIGNvbHVtbi5pbmNsdWRlPygn
LicpDQorICAgICAgICAgIGlmIGNoZWNrX2NvbHVtbiAmJiBjb2x1bW4uaW5jbHVkZT8oJy4nKQ0K
ICAgICAgICAgICAgIHRhYmxlX25hbWUsIGNvbHVtbiA9IGNvbHVtbi5zcGxpdCgnLicsIDIpDQog
ICAgICAgICAgICAgdGFibGUgPSBBcmVsOjpUYWJsZS5uZXcodGFibGVfbmFtZSwgZW5naW5lKQ0K
ICAgICAgICAgICBlbmQNCmRpZmYgLS1naXQgYS9hY3RpdmVyZWNvcmQvdGVzdC9jYXNlcy9yZWxh
dGlvbi93aGVyZV90ZXN0LnJiIGIvYWN0aXZlcmVjb3JkL3Rlc3QvY2FzZXMvcmVsYXRpb24vd2hl
cmVfdGVzdC5yYg0KbmV3IGZpbGUgbW9kZSAxMDA2NDQNCmluZGV4IDAwMDAwMDAuLjkwYzY5MGUN
Ci0tLSAvZGV2L251bGwNCisrKyBiL2FjdGl2ZXJlY29yZC90ZXN0L2Nhc2VzL3JlbGF0aW9uL3do
ZXJlX3Rlc3QucmINCkBAIC0wLDAgKzEsMTkgQEANCityZXF1aXJlICJjYXNlcy9oZWxwZXIiDQor
cmVxdWlyZSAnbW9kZWxzL3Bvc3QnDQorDQorbW9kdWxlIEFjdGl2ZVJlY29yZA0KKyAgY2xhc3Mg
V2hlcmVUZXN0IDwgQWN0aXZlUmVjb3JkOjpUZXN0Q2FzZQ0KKyAgICBmaXh0dXJlcyA6cG9zdHMN
CisNCisgICAgZGVmIHRlc3Rfd2hlcmVfZXJyb3INCisgICAgICBhc3NlcnRfcmFpc2VzKEFjdGl2
ZVJlY29yZDo6U3RhdGVtZW50SW52YWxpZCkgZG8NCisgICAgICAgIFBvc3Qud2hlcmUoOmlkID0+
IHsgJ3Bvc3RzLmF1dGhvcl9pZCcgPT4gMTAgfSkuZmlyc3QNCisgICAgICBlbmQNCisgICAgZW5k
DQorDQorICAgIGRlZiB0ZXN0X3doZXJlX3dpdGhfdGFibGVfbmFtZQ0KKyAgICAgIHBvc3QgPSBQ
b3N0LmZpcnN0DQorICAgICAgYXNzZXJ0X2VxdWFsIHBvc3QsIFBvc3Qud2hlcmUoOnBvc3RzID0+
IHsgJ2lkJyA9PiBwb3N0LmlkIH0pLmZpcnN0DQorICAgIGVuZA0KKyAgZW5kDQorZW5kDQotLSAN
CjEuNy41LjQNCg0K
--e89a8f5028ee85848004c176faf0
Content-Type: application/pgp-signature
Content-Disposition: attachment
Content-Transfer-Encoding: base64
X-Attachment-Id: 57f03449a90b0c04_0.1

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjQuMTIgKERh
cndpbikNCg0KaVFFY0JBRUJBZ0FHQlFKUHg4T29BQW9KRUpVeGNMeTAvNi9HNWlBSCtnSXl4a2Nq
MU5pa3ZKSzltUnBLWFkvWg0KMmlZelkvTXFGaVVIUERKaHB1QjRCamxRb2VKRmwxaVVBVmVtNnJI
UVBHbVJLay9GZVZNT3BaUVcvRU1zWmt5ZA0KNTRxUXJvUFd1N3BsYmNnU0czNWZ2eVZ2RjN3Z295
T0FXWlI0cHpmV3RKRzlSaG5kM3NFNTVDVVhWcndOa09UKw0KTTZZa2hTdHJLWjBLb3phb2RZU3oy
QnZtazVmU1RMTE9wWVFkZGdrMlc0VTJlcG5hQWs3ZXpWOHlWbjl3S1A4Yw0KU0JJKzRjNHFza2Rp
NUo2ajdqQndOSTJWZ0RFY2RpbUNSNTN1K3RYNjRWU3gvU2s3R1Y0aDRjVmdPSHpXaVhoSw0KVmlP
cVRkU3B3Z1VueHdKZlUzc2FWa1hjQ0t3NWpXd0xGMkVnWEpIV3lYRDdDZTZ1SUZyUEw4S1dEQ2d5
VklBPQ0KPXprd2sNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K
--e89a8f5028ee85848004c176faf0--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgkjOT5eX%2Bch56QwkRpKQ73cVoCbYrweN5AGR5BJ2femkg>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact