Bug#480011: marked as done (kvm contains several qemu vulnerabilities)

[Debian Bug Tracking System]

Your message dated Tue, 20 May 2008 14:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#480011: fixed in kvm 66+dfsg-1.1
has caused the Debian Bug report #480011,
regarding kvm contains several qemu vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
480011: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480011
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: kvm
Version: 66+dfsg-1.1
Severity: critical
Tags: patch security
Justification: root security hole
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch

Attached is a patch to address several open CVEs in the embedded qemu
software in kvm. These issues were addressed in [1] and [2] in qemu, but
not kvm.

This patch has been extensively tested in Ubuntu's kvm62, which has the
same embedded version of qemu (0.9.1) as kvm66 in sid. The Ubuntu patch is
the same as 90_security.patch from qemu 0.9.1-1 (excepting some fuzz). The
attached patch for sid's kvm is the same as the patch for Ubuntu, except it
had to be changed slightly because CVE-2008-0928.patch is applied first in
sid.

Please note that this does not include the fix for CVE-2008-2004, which was
recently included in qemu (0.9.1-5).

A suggested changelog entry might be:

  * debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch based on
    90_security.patch from qemu 0.9.1-1. Please note that CVE-2007-2893 is
    also known as CVE-2007-1323, and CVE-2007-5729 and CVE-2007-5730 are known
    as CVE-2007-1321 in Debian. This patch addresses the following:
    - Cirrus LGD-54XX "bitblt" heap overflow.
    - NE2000 "mtu" heap overflow.
    - QEMU "net socket" heap overflow.
    - QEMU NE2000 "receive" integer signedness error.
    - Infinite loop in the emulated SB16 device.
    - Unprivileged "aam" instruction does not correctly handle the
      undocumented divisor operand.
    - Unprivileged "icebp" instruction will halt emulation.


[1] http://www.debian.org/security/2007/dsa-1284
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=424070

Jamie Strandboge

diff -u kvm-66+dfsg/debian/changelog kvm-66+dfsg/debian/changelog
diff -u kvm-66+dfsg/debian/patches/series kvm-66+dfsg/debian/patches/series
--- kvm-66+dfsg/debian/patches/series
+++ kvm-66+dfsg/debian/patches/series
@@ -10,0 +11 @@
+CVE-2007-1320+1321+1322+1366+2893.patch
only in patch2:
unchanged:
--- kvm-66+dfsg.orig/debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch
+++ kvm-66+dfsg/debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch
@@ -0,0 +1,323 @@
+diff -Nur kvm-66+dfsg/qemu/block.c kvm-66+dfsg.new/qemu/block.c
+--- kvm-66+dfsg/qemu/block.c	2008-05-07 09:59:51.000000000 -0400
++++ kvm-66+dfsg.new/qemu/block.c	2008-05-07 10:03:24.000000000 -0400
+@@ -612,6 +612,8 @@
+         return -ENOMEDIUM;
+     if (bs->read_only)
+         return -EACCES;
++    if (sector_num < 0)
++        return -EINVAL;
+     if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
+         return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+@@ -619,8 +621,14 @@
+     }
+     if (drv->bdrv_pwrite) {
+         int ret, len;
++        int64_t ns;
++
+         len = nb_sectors * 512;
+-        ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len);
++        ns = sector_num * 512;
++        if (ns < 0)
++            return -EINVAL;
++
++        ret = drv->bdrv_pwrite(bs, ns, buf, len);
+         if (ret < 0)
+             return ret;
+         else if (ret != len)
+diff -Nur kvm-66+dfsg/qemu/hw/cirrus_vga.c kvm-66+dfsg.new/qemu/hw/cirrus_vga.c
+--- kvm-66+dfsg/qemu/hw/cirrus_vga.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/cirrus_vga.c	2008-05-07 10:00:01.000000000 -0400
+@@ -224,6 +224,20 @@
+ #define CIRRUS_HOOK_NOT_HANDLED 0
+ #define CIRRUS_HOOK_HANDLED 1
+ 
++#define BLTUNSAFE(s) \
++    ( \
++        ( /* check dst is within bounds */ \
++            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
++                + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
++                    (s)->vram_size \
++        ) || \
++        ( /* check src is within bounds */ \
++            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
++                + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
++                    (s)->vram_size \
++        ) \
++    )
++
+ struct CirrusVGAState;
+ typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
+                                      uint8_t * dst, const uint8_t * src,
+@@ -645,7 +659,7 @@
+ 
+     for (y = 0; y < lines; y++) {
+ 	off_cur = off_begin;
+-	off_cur_end = off_cur + bytesperline;
++	off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
+ 	off_cur &= TARGET_PAGE_MASK;
+ 	while (off_cur < off_cur_end) {
+ 	    cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
+@@ -660,7 +674,11 @@
+ {
+     uint8_t *dst;
+ 
+-    dst = s->vram_ptr + s->cirrus_blt_dstaddr;
++    dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
++
++    if (BLTUNSAFE(s))
++        return 0;
++
+     (*s->cirrus_rop) (s, dst, src,
+                       s->cirrus_blt_dstpitch, 0,
+                       s->cirrus_blt_width, s->cirrus_blt_height);
+@@ -676,8 +694,10 @@
+ {
+     cirrus_fill_t rop_func;
+ 
++    if (BLTUNSAFE(s))
++        return 0;
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+-    rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
++    rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), 
+              s->cirrus_blt_dstpitch,
+              s->cirrus_blt_width, s->cirrus_blt_height);
+     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+@@ -696,8 +716,8 @@
+ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ {
+     return cirrus_bitblt_common_patterncopy(s,
+-					    s->vram_ptr +
+-                                            (s->cirrus_blt_srcaddr & ~7));
++					    s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
++                                            s->cirrus_addr_mask));
+ }
+ 
+ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+@@ -747,8 +767,10 @@
+     if (notify)
+ 	vga_hw_update();
+ 
+-    (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-		      s->vram_ptr + s->cirrus_blt_srcaddr,
++    (*s->cirrus_rop) (s, s->vram_ptr +
++		          (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++		          s->vram_ptr +
++		          (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
+ 		      s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
+ 		      s->cirrus_blt_width, s->cirrus_blt_height);
+ 
+@@ -774,8 +796,14 @@
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-	(*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-			  s->vram_ptr + s->cirrus_blt_srcaddr,
++
++    if (BLTUNSAFE(s))
++        return 0;
++
++	(*s->cirrus_rop) (s, s->vram_ptr +
++                (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++			  s->vram_ptr +
++                (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
+ 			  s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
+ 			  s->cirrus_blt_width, s->cirrus_blt_height);
+ 
+@@ -807,8 +835,9 @@
+         } else {
+             /* at least one scan line */
+             do {
+-                (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-                                 s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
++                (*s->cirrus_rop)(s, s->vram_ptr +
++                    (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++                        s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
+                                          s->cirrus_blt_width, 1);
+                 s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
+@@ -1929,7 +1958,7 @@
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vram_ptr + offset;
++    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
+ 	if (val & 0x80) {
+ 	    *dst = s->cirrus_shadow_gr1;
+@@ -1952,7 +1981,7 @@
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vram_ptr + offset;
++    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
+ 	if (val & 0x80) {
+ 	    *dst = s->cirrus_shadow_gr1;
+diff -Nur kvm-66+dfsg/qemu/hw/cirrus_vga_rop.h kvm-66+dfsg.new/qemu/hw/cirrus_vga_rop.h
+--- kvm-66+dfsg/qemu/hw/cirrus_vga_rop.h	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/cirrus_vga_rop.h	2008-05-07 10:00:01.000000000 -0400
+@@ -31,6 +31,12 @@
+     int x,y;
+     dstpitch -= bltwidth;
+     srcpitch -= bltwidth;
++
++    if (dstpitch < 0 || srcpitch < 0) {
++        /* is 0 valid? srcpitch == 0 could be useful */
++        return;
++    }
++
+     for (y = 0; y < bltheight; y++) {
+         for (x = 0; x < bltwidth; x++) {
+             ROP_OP(*dst, *src);
+diff -Nur kvm-66+dfsg/qemu/hw/dma.c kvm-66+dfsg.new/qemu/hw/dma.c
+--- kvm-66+dfsg/qemu/hw/dma.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/dma.c	2008-05-07 10:00:01.000000000 -0400
+@@ -341,9 +341,11 @@
+ #endif
+ 
+     r = dma_controllers[ncont].regs + ichan;
+-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+-    r->now[COUNT] = n;
++    if (r->transfer_handler) {
++        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
++                                 r->now[COUNT], (r->base[COUNT] + 1) << ncont);
++        r->now[COUNT] = n;
++    }
+     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
+ }
+ 
+diff -Nur kvm-66+dfsg/qemu/hw/fdc.c kvm-66+dfsg.new/qemu/hw/fdc.c
+--- kvm-66+dfsg/qemu/hw/fdc.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/fdc.c	2008-05-07 10:00:01.000000000 -0400
+@@ -1344,7 +1344,13 @@
+             len = fdctrl->data_len - fdctrl->data_pos;
+             if (len > FD_SECTOR_LEN)
+                 len = FD_SECTOR_LEN;
+-            bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1);
++            if (cur_drv->bs) {
++                bdrv_read(cur_drv->bs, fd_sector(cur_drv), 
++                          fdctrl->fifo, 1);
++            } else {
++                FLOPPY_ERROR("can't read data from drive\n");
++                return 0;
++            }
+         }
+     }
+     retval = fdctrl->fifo[pos];
+diff -Nur kvm-66+dfsg/qemu/hw/pc.c kvm-66+dfsg.new/qemu/hw/pc.c
+--- kvm-66+dfsg/qemu/hw/pc.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/pc.c	2008-05-07 10:00:01.000000000 -0400
+@@ -341,7 +341,8 @@
+     case 0x400:
+     case 0x401:
+         fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
+-        exit(1);
++        /* according to documentation, these can be safely ignored */
++        break;
+     case 0x402:
+     case 0x403:
+ #ifdef DEBUG_BIOS
+@@ -364,8 +365,9 @@
+         /* LGPL'ed VGA BIOS messages */
+     case 0x501:
+     case 0x502:
++        /* according to documentation, these can be safely ignored */
+         fprintf(stderr, "VGA BIOS panic, line %d\n", val);
+-        exit(1);
++        break;
+     case 0x500:
+     case 0x503:
+ #ifdef DEBUG_BIOS
+diff -Nur kvm-66+dfsg/qemu/hw/sb16.c kvm-66+dfsg.new/qemu/hw/sb16.c
+--- kvm-66+dfsg/qemu/hw/sb16.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/hw/sb16.c	2008-05-07 10:00:01.000000000 -0400
+@@ -1246,8 +1246,10 @@
+             s->block_size);
+ #endif
+ 
+-    while (s->left_till_irq <= 0) {
+-        s->left_till_irq = s->block_size + s->left_till_irq;
++    if (s->block_size) {
++        while (s->left_till_irq <= 0) {
++            s->left_till_irq = s->block_size + s->left_till_irq;
++        }
+     }
+ 
+     return dma_pos;
+diff -Nur kvm-66+dfsg/qemu/slirp/slirp.c kvm-66+dfsg.new/qemu/slirp/slirp.c
+--- kvm-66+dfsg/qemu/slirp/slirp.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/slirp/slirp.c	2008-05-07 10:00:01.000000000 -0400
+@@ -620,6 +620,10 @@
+         if (!m)
+             return;
+         /* Note: we add to align the IP header */
++        /* taviso: large values in ne2k TCNT register may exceed msize on transmit */
++        if (M_FREEROOM(m) < pkt_len + 2) {
++            m_inc(m, pkt_len + 2);
++        }
+         m->m_len = pkt_len + 2;
+         memcpy(m->m_data + 2, pkt, pkt_len);
+ 
+diff -Nur kvm-66+dfsg/qemu/target-i386/translate.c kvm-66+dfsg.new/qemu/target-i386/translate.c
+--- kvm-66+dfsg/qemu/target-i386/translate.c	2008-04-15 09:35:58.000000000 -0400
++++ kvm-66+dfsg.new/qemu/target-i386/translate.c	2008-05-07 10:00:01.000000000 -0400
+@@ -5452,6 +5452,7 @@
+         gen_jmp_im(pc_start - s->cs_base);
+         gen_op_into(s->pc - pc_start);
+         break;
++#ifdef WANT_ICEBP
+     case 0xf1: /* icebp (undocumented, exits to external debugger) */
+         if (gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP))
+             break;
+@@ -5463,6 +5464,7 @@
+         cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
+ #endif
+         break;
++#endif /* icebp */
+     case 0xfa: /* cli */
+         if (!s->vm86) {
+             if (s->cpl <= s->iopl) {
+diff -Nur kvm-66+dfsg/qemu/vl.c kvm-66+dfsg.new/qemu/vl.c
+--- kvm-66+dfsg/qemu/vl.c	2008-05-07 09:59:51.000000000 -0400
++++ kvm-66+dfsg.new/qemu/vl.c	2008-05-07 10:00:01.000000000 -0400
+@@ -4294,8 +4294,8 @@
+     VLANClientState *vc;
+     int fd;
+     int state; /* 0 = getting length, 1 = getting data */
+-    int index;
+-    int packet_len;
++    unsigned int index;
++    unsigned int packet_len;
+     uint8_t buf[4096];
+     struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
+ } NetSocketState;
+@@ -4326,7 +4326,8 @@
+ static void net_socket_send(void *opaque)
+ {
+     NetSocketState *s = opaque;
+-    int l, size, err;
++    int size, err;
++    unsigned l;
+     uint8_t buf1[4096];
+     const uint8_t *buf;
+ 
+@@ -4365,7 +4366,15 @@
+             l = s->packet_len - s->index;
+             if (l > size)
+                 l = size;
+-            memcpy(s->buf + s->index, buf, l);
++            if (s->index + l <= sizeof(s->buf)) {
++                memcpy(s->buf + s->index, buf, l);
++            } else {
++                fprintf(stderr, "serious error: oversized packet received,"
++                    "connection terminated.\n");
++                s->state = 0;
++                goto eoc;
++            }
++
+             s->index += l;
+             buf += l;
+             size -= l;

--- End Message ---

--- Begin Message ---

Source: kvm
Source-Version: 66+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:

kvm-data_66+dfsg-1.1_all.deb
  to pool/main/k/kvm/kvm-data_66+dfsg-1.1_all.deb
kvm-source_66+dfsg-1.1_all.deb
  to pool/main/k/kvm/kvm-source_66+dfsg-1.1_all.deb
kvm_66+dfsg-1.1.diff.gz
  to pool/main/k/kvm/kvm_66+dfsg-1.1.diff.gz
kvm_66+dfsg-1.1.dsc
  to pool/main/k/kvm/kvm_66+dfsg-1.1.dsc
kvm_66+dfsg-1.1_i386.deb
  to pool/main/k/kvm/kvm_66+dfsg-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <[EMAIL PROTECTED]> (supplier of updated kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 May 2008 13:28:14 +0000
Source: kvm
Binary: kvm kvm-data kvm-source
Architecture: source all i386
Version: 66+dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Jan Lübbe <[EMAIL PROTECTED]>
Changed-By: Steffen Joeris <[EMAIL PROTECTED]>
Description: 
 kvm        - Full virtualization on x86 hardware
 kvm-data   - Data files for the KVM package
 kvm-source - Source for the KVM driver
Closes: 480011 481204
Changes: 
 kvm (66+dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Merge the fixes for the security issues in the embedded qemu
     version (Closes: #480011) Thanks to Jamie Strandboge
    - Add CVE-2007-1320+1321+1322+1366+2893.patch from from qemu 0.9.1-1
      to address the following issues:
     - Cirrus LGD-54XX "bitblt" heap overflow.
     - NE2000 "mtu" heap overflow.
     - QEMU "net socket" heap overflow.
     - QEMU NE2000 "receive" integer signedness error.
     - Infinite loop in the emulated SB16 device.
     - Unprivileged "aam" instruction does not correctly handle the
       undocumented divisor operand.
     - Unprivileged "icebp" instruction will halt emulation.
   * Include patch which defaults to existing behaviour (probing based on file
     contents), so it still requires the mgmt app (e.g. libvirt xml) to
     pass a new "format=raw" parameter for raw disk images
     - Fixes possible privilege escalation, which could allow guest users
       to read arbitrary files on the host by modifying the header to identify
       a different format (Closes: #481204) Fixes: CVE-2008-2004
Checksums-Sha1: 
 91a99c6cd0fb41e7ce54e413f1d8b1ca939f9347 1308 kvm_66+dfsg-1.1.dsc
 d03b192d199763803083e1c88d3fbe7ac80f35c5 34347 kvm_66+dfsg-1.1.diff.gz
 3b32e47d274d621c760209cc686a14a232295e6e 186850 kvm-data_66+dfsg-1.1_all.deb
 7d84ae37e8f8fb08e49efed0f9f659a18acee34d 158952 kvm-source_66+dfsg-1.1_all.deb
 917f2b97235de8ee38254f42b1a428208fada0d5 632944 kvm_66+dfsg-1.1_i386.deb
Checksums-Sha256: 
 a66a2f026ba401e7a0115b1923bd86e52390e2015a58ceb4637b4f5e18abc1ce 1308 
kvm_66+dfsg-1.1.dsc
 0d65d3c69bf308ddce0f37c23e36fb1a3a69ed245729646293932e54b248deff 34347 
kvm_66+dfsg-1.1.diff.gz
 f25066a3281482ae0f2c043a954c1b566d39a66a3b5eac5e9aec35ff9f6456b8 186850 
kvm-data_66+dfsg-1.1_all.deb
 37934401158248b77f3daa3ed9fdf1aa1ba268efc7491788eafbc39bc7fa538e 158952 
kvm-source_66+dfsg-1.1_all.deb
 f4c635a3927c2b19d1c3fafe4df16096a54113144c4e149fc9960562195657bf 632944 
kvm_66+dfsg-1.1_i386.deb
Files: 
 23def165ed98f21c558245099146b41d 1308 misc optional kvm_66+dfsg-1.1.dsc
 5d3bf47baebe9a89d771b30830c9df92 34347 misc optional kvm_66+dfsg-1.1.diff.gz
 6b0557c6e139d5803f0878438d49a281 186850 misc optional 
kvm-data_66+dfsg-1.1_all.deb
 0528a7efdd3d30b8d28c4e0674ec28c1 158952 misc optional 
kvm-source_66+dfsg-1.1_all.deb
 202bae86a7d24a0d3270fd91c440922e 632944 misc optional kvm_66+dfsg-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIMuDa62zWxYk/rQcRAhzzAKCtHxSlNFh0pwUMOb8jHmMkmRY3owCfWCiJ
Nd8wh9rdLpYp6KU6pkcSqD0=
=H9hM
-----END PGP SIGNATURE-----

--- End Message ---