Package: aview; Maintainer for aview is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>; Source for aview is src:aview (PTS, buildd, popcon).
Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Date: 2008年8月24日 18:11:48 UTC
Severity: grave
Tags: confirmed, patch, security
Fixed in version aview/1.3.0rc1-8.1
Done: Gerfried Fuchs <rhonda@debian.at>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: aview Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: vdr-dbg (1.6.0-5) file: /usr/bin/vdrleaktest Binary-package: ogle-mmx (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: convirt (0.8.2-3) file: /usr/share/convirt/image_store/_template_/provision.sh file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh file: /usr/share/convirt/image_store/common/provision.sh file: /usr/share/convirt/image_store/example/provision.sh file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh Binary-package: printfilters-ppd (2.13-9) file: /usr/lib/printfilters/master-filter Binary-package: r-base-core (2.7.1-1) file: /usr/lib/R/bin/javareconf file: /usr/lib/R/bin/javareconf.orig Binary-package: xmcd (2.6-19.3) file: /usr/share/xmcd/scripts/ncsarmt file: /usr/share/xmcd/scripts/ncsawrap Binary-package: tiger (1:3.2.2-3.1) file: /usr/lib/tiger/util/genmsgidx Binary-package: scilab-bin (4.1.2-5) file: /usr/lib/scilab-4.1.2/bin/scilink file: /usr/lib/scilab-4.1.2/util/scidoc file: /usr/lib/scilab-4.1.2/util/scidem Binary-package: dpkg-cross (2.3.0) file: /usr/share/dpkg-cross/bin/gccross Binary-package: ltp-network-test (20060918-2.1) file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera Binary-package: scratchbox2 (1.99.0.24-1) file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings Binary-package: sendmail-base (8.14.3-5) file: /usr/sbin/checksendmail file: /usr/bin/expn Binary-package: fwbuilder (2.1.19-3) file: /usr/bin/fwb_install Binary-package: sng (1.0.2-5) file: /usr/bin/sng_regress Binary-package: dist (1:3.5-17-1) file: /usr/bin/patcil file: /usr/bin/patdiff Binary-package: sympa (5.3.4-5) file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi file: /usr/lib/sympa/bin/sympa.pl Binary-package: postfix (2.5.2-2) file: /usr/lib/postfix_groups.pl Binary-package: caudium (3:1.4.12-11) file: /usr/share/caudium/configvar Binary-package: mgetty-fax (1.1.36-1.2) file: /usr/bin/faxspool Binary-package: aegis (4.24-3) file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh Binary-package: aegis-web (4.24-3) file: /usr/lib/cgi-bin/aegis.cgi Binary-package: digitaldj (0.7.5-6+b1) file: /usr/share/digitaldj/fest.pl Binary-package: mon (0.99.2-12) file: /usr/lib/mon/alert.d/test.alert Binary-package: feta (1.4.16) file: /usr/share/feta/plugins/to-upgrade Binary-package: arb-common (0.0.20071207.1-4) file: /usr/lib/arb/SH/arb_fastdnaml file: /usr/lib/arb/SH/dszmconnect.pl Binary-package: qemu (0.9.1-5) file: /usr/sbin/qemu-make-debian-root Binary-package: apertium (3.0.7+1-1+b1) file: /usr/bin/apertium-gen-deformat file: /usr/bin/apertium-gen-reformat file: /usr/bin/apertium Binary-package: xcal (4.1-18.3) file: /usr/bin/pscal Binary-package: myspell-tools (1:3.1-20) file: /usr/bin/i2myspell Binary-package: gccxml (0.9.0+cvs20080525-1) file: /usr/share/gccxml-0.9/MIPSpro/find_flags Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) file: /usr/share/freeradius-dialupadmin/bin/backup_radacct file: /usr/share/freeradius-dialupadmin/bin/clean_radacct file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats file: /usr/share/freeradius-dialupadmin/bin/tot_stats file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct Binary-package: dhis-server (5.3-1) file: /usr/lib/dhis-server/dhis-dummy-log-engine Binary-package: wims (3.62-13) file: /var/lib/wims/public_html/bin/coqweb file: /var/lib/wims/bin/account.sh Binary-package: initramfs-tools (0.92f) file: /usr/share/initramfs-tools/init Binary-package: realtimebattle-common (1.0.8-7) file: /usr/lib/realtimebattle/Robots/perl.robot Binary-package: netmrg (0.20-1) file: /usr/bin/rrdedit Binary-package: bulmages-servers (0.11.1-2) file: /usr/share/bulmages/examples/scripts/actualizabulmacont file: /usr/share/bulmages/examples/scripts/installbulmages-db file: /usr/share/bulmages/examples/scripts/creabulmafact file: /usr/share/bulmages/examples/scripts/creabulmacont file: /usr/share/bulmages/examples/scripts/actualizabulmafact Binary-package: xastir (1.9.2-1) file: /usr/lib/xastir/get-maptools.sh file: /usr/lib/xastir/get_shapelib.sh Binary-package: plait (1.5.2-1) file: /usr/bin/plaiter file: /usr/bin/plait Binary-package: cdrw-taper (0.4-2) file: /usr/sbin/amlabel-cdrw Binary-package: konwert-filters (1.8-11.1) file: /usr/share/konwert/filters/any-UTF8 Binary-package: gdrae (0.1-1) file: /usr/bin/gdrae Binary-package: lazarus-src (0.9.24-0-9) file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Noted your statement that Bug has been forwarded to http://sf.net/support/tracker.php?aid=2072147.
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org.
(2008年8月24日 20:15:03 GMT) (full text, mbox, link).
Removed annotation that Bug had been forwarded to http://sf.net/support/tracker.php?aid=2072147.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(2008年8月25日 11:24:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #14 received at 496422@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 496422 confirmed security thanks Hi, The issue is indeed clearly present in asciiview, for example: myconvert $name >/tmp/aview$$.pgm Since it's a shell script this can probably be quite easily addressed by using the essential 'mktemp' to create the temporary file. cheers, Thijs
[Message part 2 (application/pgp-signature, inline)]
Tags added: confirmed, security
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(2008年8月25日 15:51:08 GMT) (full text, mbox, link).
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(2008年8月26日 08:45:51 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(2008年8月26日 08:57:40 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Patryk Cisek <patryk@prezu.one.pl>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.
Message #25 received at 496422@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I attached a patch with a fix for this bug. -- Patryk Cisek
[496422.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Patryk Cisek <patryk@prezu.one.pl>
to control@bugs.debian.org.
(2008年8月31日 14:30:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #32 received at 496422@bugs.debian.org (full text, mbox, reply):
* Patryk Cisek <patryk@prezu.one.pl> [2008年08月31日 16:28:09 CEST]: > I attached a patch with a fix for this bug. Unfortunately your patch contains another problem: It cleans up any files instead of only the process's own created ones which lead to runtime issues with multiple concurent running instances. As the trap function for exit has access to all the variables used at the time it's called there is no problem having clear() directly "rm -f $tmpfilenam" instead. I'm currently testing that approach and will upload an NMU in a short while. So long, Rhonda
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #37 received at 496422@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Gerfried Fuchs <rhonda@deb.at> [2008年09月01日 12:00:42 CEST]: > * Patryk Cisek <patryk@prezu.one.pl> [2008年08月31日 16:28:09 CEST]: > > I attached a patch with a fix for this bug. > > Unfortunately your patch contains another problem: It cleans up any > files instead of only the process's own created ones which lead to > runtime issues with multiple concurent running instances. ... furthermore, the tempfilenam you introduced doesn't end in .pgm and thus the script doesn't work. Did you actually test your patch? :) Find attached the interdiff with a tested patch for the NMU I uploaded just right now. So long, and thanks for taking care of this nice tool. :) Rhonda
[aview_1.3.0rc1-8_1.3.0rc1-8.1.interdiff.gz (application/octet-stream, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Patryk Cisek <patryk@prezu.one.pl>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #42 received at 496422@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Monday 01 of September 2008 12:38:52 Gerfried Fuchs napisał(a): > ... furthermore, the tempfilenam you introduced doesn't end in .pgm and > thus the script doesn't work. Did you actually test your patch? :) Yes, I tested it with jpg files. I didn't have any .fli, .lfc, or .flic, so didn't check those. Only if the aview $options $tmpfilenam executes. So the problem you're referring to is related to those files? Just out of curiosity, could you please shed some light on it? I mean the .pgm file name extension problem. :] Cause with jpeg works just as expected. -- Patryk Cisek
[signature.asc (application/pgp-signature, inline)]
Reply sent to Gerfried Fuchs <rhonda@debian.at>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #47 received at 496422-close@bugs.debian.org (full text, mbox, reply):
Source: aview Source-Version: 1.3.0rc1-8.1 We believe that the bug you reported is fixed in the latest version of aview, which is due to be installed in the Debian FTP archive: aview_1.3.0rc1-8.1.diff.gz to pool/main/a/aview/aview_1.3.0rc1-8.1.diff.gz aview_1.3.0rc1-8.1.dsc to pool/main/a/aview/aview_1.3.0rc1-8.1.dsc aview_1.3.0rc1-8.1_powerpc.deb to pool/main/a/aview/aview_1.3.0rc1-8.1_powerpc.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 496422@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gerfried Fuchs <rhonda@debian.at> (supplier of updated aview package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: 2008年9月01日 12:14:00 +0200 Source: aview Binary: aview Architecture: source powerpc Version: 1.3.0rc1-8.1 Distribution: unstable Urgency: low Maintainer: Uwe Hermann <uwe@debian.org> Changed-By: Gerfried Fuchs <rhonda@debian.at> Description: aview - A high quality ASCII art image viewer and video player Closes: 496422 Changes: aview (1.3.0rc1-8.1) unstable; urgency=low . * Non-maintainer upload fixing security propblem with tmp files, thanks to Patryk Cisek for the idea (closes: #496422) Checksums-Sha1: 8d7210764f3bfb9eb0ebc154c85a7139274c6b91 980 aview_1.3.0rc1-8.1.dsc ae3ec8fd09a2dfab02c7af1a81665ec5d9fd6229 8300 aview_1.3.0rc1-8.1.diff.gz 0eeb643c99493f63ca1f9e4231fdb5d93237c872 34532 aview_1.3.0rc1-8.1_powerpc.deb Checksums-Sha256: a46fd20167e71803115ad25981be2fda7b1ad592d14d68fc8c6f1cd5f65ecaee 980 aview_1.3.0rc1-8.1.dsc 4e63dccf1e8145c586d682621ca04286e5c1437ee0c2b63a9c0fc8f220675201 8300 aview_1.3.0rc1-8.1.diff.gz c59fa0dd1763d2b5e31dc87672da6fcbd63372faabbb31d27d27545928d1e07e 34532 aview_1.3.0rc1-8.1_powerpc.deb Files: 385c0eb34a13d44fc7d9844dc7e86f16 980 graphics optional aview_1.3.0rc1-8.1.dsc 1678a32e1a9dde03cfd264aa886faeca 8300 graphics optional aview_1.3.0rc1-8.1.diff.gz d35079bd2c58ece9dbf1ca63a63384ff 34532 graphics optional aview_1.3.0rc1-8.1_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAki7xjcACgkQELuA/Ba9d8Y04QCgpvUXY4LW48ucBIdV+NIjDtJD U5EAn20rmM3jmx3Jknh0QXzKkF8f93PX =3Ote -----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>:
Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Message #52 received at 496422@bugs.debian.org (full text, mbox, reply):
* Patryk Cisek <patryk@prezu.one.pl> [2008年09月01日 13:00:17 CEST]: > Monday 01 of September 2008 12:38:52 Gerfried Fuchs napisał(a): > > ... furthermore, the tempfilenam you introduced doesn't end in .pgm and > > thus the script doesn't work. Did you actually test your patch? :) > > Yes, I tested it with jpg files. I didn't have any .fli, .lfc, or .flic, so > didn't check those. Only if the aview $options $tmpfilenam executes. So the > problem you're referring to is related to those files? Just out of curiosity, > could you please shed some light on it? I mean the .pgm file name extension > problem. :] Cause with jpeg works just as expected. Erm, that problem was a problem at my end at first, because I didn't like the mktemp -u approach you chose, because of hopefully understandable reasons. It would still had been a race condition, just a very limited one. So I just removed the -u switch but didn't notice the error message that mkfifo wasn't able to create the fifo - and thus in the end the rest failed obviously. As I was going a different path anyway, that small understanding problem with your approach wasn't a big problem. Sorry for the confusion. :) So long! :) Rhonda
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(2009年3月16日 08:10:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.