imlib: Vulnerable to GLSA 200412-03?

Automatically imported from Debian bug report #284925 http://bugs.debian.org/284925

Message-ID: <email address hidden>
Date: Thu, 9 Dec 2004 15:51:07 +0100
From: Andreas Metzler <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imlib: Vulnerable to GLSA 200412-03?

Package: imlib,imlib+png2
Severity: normal
Tags: security,patch

Hello,
---------------------
http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
Synopsis
Multiple overflows have been found in the imlib library image decoding
routines, potentially allowing execution of arbitrary code.

2. Impact Information

Background

imlib is an advanced replacement library for image manipulation libraries like
libXpm. It is called by numerous programs, including gkrellm and several window
managers, to help in displaying images.

Description

Pavel Kankovsky discovered that several overflows found in the libXpm library
(see GLSA 200409-34) also applied to imlib. He also fixed a number of other
potential flaws.

Impact

A remote attacker could entice a user to view a carefully-crafted image file,
which would potentially lead to execution of arbitrary code with the rights of
the user viewing the image. This affects any program that makes use of the
imlib library.
[...]
---------------------

Links:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516
https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11
Patch:
http://gd.tuwien.ac.at/platform/Linux/gentoo-portage/media-libs/imlib/files/imlib-1.9.14-sec2.patch
(does apply cleanly to imlib 1.9.14-17 and imlib+png2 1.9.14-16.)

I am submitting as normal because the given exploit
(http://scary.beasts.org/misc/doom.xpm) does not work for me, and I'd
rather not use an inflated severity.
                 cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:31:55 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2004-1026

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 284925 serious
thanks

This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.

Unfortunatly, the CAN entry currently has no more info than a pointer to
GLSA-200412-03. I dug around and found the redhat bug at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D138516

I was able to crash imlib1 using the image from here:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=3D106366&action=3Dvi=
ew

--=20
see shy jo

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufmrd8HHehbQuO8RAt4/AJ9BkwFgfIS3p5Tj958kLeirq1a4NwCeNo6X
IPaKIXbLOatCy5iSbXnG67I=
=OqbN
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 22:58:08 +0100
From: Andreas Metzler <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: CAN-2004-1026 applies to imlib2, too.

clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/loader_xpm.c
reassign -1 imlib2
thanks

Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

That one works with imlib2, too:
ametzler@downhill:/tmp$ LANG=C LD_ASSUME_KERNEL=2.4.1 gdb feh
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/imlib2_loaders/image/xpm.so
#2 0xbffff6e0 in ?? ()
[...]
               cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 11:48:30 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284925: imlib: Vulnerable to GLSA 200412-03?

On 2004-12-09 Andreas Metzler <email address hidden> wrote:
> Package: imlib,imlib+png2
> Severity: normal
> Tags: security,patch

> Hello,
> ---------------------
> http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
> Synopsis
> Multiple overflows have been found in the imlib library image decoding
> routines, potentially allowing execution of arbitrary code.
[...]

Applies to woody, too.
WOODYametzler@downhill:/tmp$ gdb ./imlib-example-woody
(gdb) run imlib_die.xpm
Starting program: /tmp/imlib-example-woody imlib_die.xpm
Program received signal SIGSEGV, Segmentation fault.
0x400b2464 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x400b2464 in strcat () from /lib/libc.so.6
#1 0x4001f44f in _LoadXPM () from /usr/lib/libImlib.so.1
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141

ii imlib1 1.9.14-2wody1 Imlib is an imaging library for X and X11
ii xlibs 4.1.0-16woody5 X Window System client libraries
                cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 15:26:43 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?

--65ImJOski3p8EhYV
Content-Type: multipart/mixed; boundary="WBsA/oQW3eTA3LlM"
Content-Disposition: inline

--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I've prepared an NMU for imlib based on the Red Hat patch, which I will
be uploading shortly; I've confirmed that imlib11 no longer segfaults
with the sample image after this patch is applied.

Note that the Red Hat patch includes a typo (semicolon at the end of an
if) that almost certainly leaves a hole open; this has been corrected in
the attached patch.

Thanks,
--=20
Steve Langasek
postmodern programmer

--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="imlib-284925.diff"
Content-Transfer-Encoding: quoted-printable

diff -u imlib-1.9.14/Imlib/load.c imlib-1.9.14/Imlib/load.c
--- imlib-1.9.14/Imlib/load.c
+++ imlib-1.9.14/Imlib/load.c
@@ -4,6 +4,8 @@
 #include "Imlib_private.h"
 #include <setjmp.h>
=20
+#define G_MAXINT ((int) 0x7fffffff)
+
 /* Split the ID - damages input */
=20
 static char *
@@ -41,13 +43,17 @@
=20
 /*
  * Make sure we don't wrap on our memory allocations
+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ * + 3 is safety margin
  */
=20
 void * _imlib_malloc_image(unsigned int w, unsigned int h)
 {
- if( w > 32767 || h > 32767)
+ if (w <=3D 0 || w > 32767 ||
+ h <=3D 0 || h > 32767 ||
+ h >=3D (G_MAXINT/4 - 1) / w)
                return NULL;
- return malloc(w * h * 3);
+ return malloc(w * h * 3 + 3);
 }
=20
 #ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
   npix =3D ww * hh;
   *w =3D (int)ww;
   *h =3D (int)hh;
- if(ww > 32767 || hh > 32767)
+ if (ww <=3D 0 || ww > 32767 ||
+ hh <=3D 0 || hh > 32767 ||
+ hh >=3D (G_MAXINT/sizeof(uint32)) / ww)
     {
        TIFFClose(tif);
        return NULL;
@@ -463,7 +471,7 @@
      }
    *w =3D gif->Image.Width;
    *h =3D gif->Image.Height;
- if (*h > 32767 || *w > 32767)
+ if (*h <=3D 0 || *h > 32767 || *w <=3D 0 || *w > 32767)
      {
         return NULL;
      }
@@ -965,7 +973,12 @@
   comment =3D 0;
   quote =3D 0;
   context =3D 0;
+ memset(lookup, 0, sizeof(lookup));
+
   line =3D malloc(lsz);
+ if (!line)
+ return NULL;
+
   while (!done)
     {
       pc =3D c;
@@ -994,25 +1007,25 @@
   {
     /* Header */
     sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <=3D 0 || ncolors > 32766)
       {
         fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not sup=
ported\n");
         free(line);
         return NULL;
       }
- if (cpp > 5)
+ if (cpp <=3D 0 || cpp > 5)
       {
         fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel =
> 5 not supported\n");
         free(line);
         return NULL;
       }
- if (*w > 32767)
+ if (*w <=3D 0 || *w > 32767)
     ...

Message-Id: <email address hidden>
Date: Fri, 17 Dec 2004 18:47:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib 1.9.14-17.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 16 Dec 2004 05:57:41 -0800
Source: imlib
Binary: imlib11 imlib11-dev
Architecture: source i386
Version: 1.9.14-17.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 imlib11 - Imlib is an imaging library for X and X11
 imlib11-dev - Imlib is an imaging library for X and X11
Closes: 284925
Changes:
 imlib (1.9.14-17.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 d585194cae8f045f154483b25a535308 718 graphics optional imlib_1.9.14-17.1.dsc
 9b39a9987e9e83041b9a5ea504df9bf6 153013 graphics optional imlib_1.9.14-17.1.diff.gz
 02ceef8f9a47ca7282b8ceecce49ed5e 80792 libs optional imlib11_1.9.14-17.1_i386.deb
 ce9868ba61f3f5f616ec664a214c85c6 87408 libdevel optional imlib11-dev_1.9.14-17.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw2tVKN6ufymYLloRApCfAKCDZRjNzyRaJf+p2X050zV0rSuF0QCfR/VX
PBx0CdFNpQywQ4ingTUjm+M=
=x3VC
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Sat, 18 Dec 2004 03:02:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib+png2 1.9.14-16.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Dec 2004 23:33:23 -0800
Source: imlib+png2
Binary: gdk-imlib1 imlib-progs gdk-imlib1-dev imlib1 imlib1-dev imlib-base
Architecture: source i386 all
Version: 1.9.14-16.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 gdk-imlib1 - imaging library for use with gtk (using libpng2)
 gdk-imlib1-dev - Header files needed for Gdk-Imlib development (using libpng2)
 imlib-base - Common files needed by the Imlib/Gdk-Imlib packages
 imlib-progs - Configuration program for Imlib and GDK-Imlib
 imlib1 - imaging library for X and X11 (using libpng2)
 imlib1-dev - Header files needed for Imlib development (using libpng2)
Closes: 284925
Changes:
 imlib+png2 (1.9.14-16.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 e63e257fa7686c971b5fd549fc7a71e9 844 graphics optional imlib+png2_1.9.14-16.1.dsc
 a85cae6e6c1ed40cf673a8d8b64148e8 144009 graphics optional imlib+png2_1.9.14-16.1.diff.gz
 03d7e5dc5a709004c45217919c6d46c8 119606 graphics optional imlib-base_1.9.14-16.1_all.deb
 85cf5bd738743939994fac1054e25c29 261598 graphics optional imlib-progs_1.9.14-16.1_i386.deb
 3da22542142634c49a9a371797f486d6 77140 oldlibs optional imlib1_1.9.14-16.1_i386.deb
 bb25a71304e4d4abfaee8850bee77c94 79790 oldlibs optional imlib1-dev_1.9.14-16.1_i386.deb
 d1bd1913c98ff89c7a2124aa546969a8 86576 oldlibs optional gdk-imlib1_1.9.14-16.1_i386.deb
 24a28e3d2eb559c728ae3bb8d1ea7761 69360 oldlibs optional gdk-imlib1-dev_1.9.14-16.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw+GwKN6ufymYLloRAqIuAKCBPXVxEhFZvvHDf+hfsItk2+kXCACgp/j5
OI+2aI6x0vP5qleGmknBlWM=
=yGmn
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 00:47:54 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 284925 +woody sarge
tags 284925 -fixed
thanks

As expected, the previously supplied patch applies equally well to
imlib+png2, requiring only an edit of debian/changelog.

An NMU of this package has also been uploaded, so this bug now only applies
to sarge and woody (and only to the imlib package in the latter case).

Thanks,
--=20
Steve Langasek
postmodern programmer

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBw+62KN6ufymYLloRAosZAKC8VAazaIGN1sN5qsp+8V50EwhvrwCg0b4G
4+XGaXEY8KQ7WUrlsIHPtsM=
=N8kf
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--

Message-ID: <email address hidden>
Date: Tue, 21 Dec 2004 22:44:15 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: NMU fixing these bugs has propagated to sarge

# both imlib+png2 1.9.14-16.1 and imlib 1.9.14-17.1 have propagated to
# sarge
tags 284925 - sarge
thanks
              cu andreas

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 19:18:05 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CVE ids

FWIW: These is problems have been assigned both CAN-2004-1025 and CAN-2004-1026.

Regards,

 Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

*** Bug 11118 has been marked as a duplicate of this bug. ***

Fixed in Warty:

 imlib+png2 (1.9.14-16ubuntu1.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: fix several buffer and integer overflows in image
     decoding routines (Ubuntu bug #11113)
   * Thanks to Pavel Kankovsky for discovering this and the patch
   * References:
     CAN-2004-1025, CAN-2004-1026
     http://bugs.debian.org/284925

Sync requested for Hoary.

This affects imlib2, too, so I leave the bug open for now.

I notified upstream and asked about the status about this.

(In reply to comment #12)
> This affects imlib2, too, so I leave the bug open for now.

Fixed in Warty in imlib2_1.1.0-12ubuntu2.1
Fixed in Hoary in imlib2_1.1.2-2ubuntu1

Message-Id: <email address hidden>
Date: Thu, 06 Jan 2005 17:02:07 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden> (Laurence J. Lane)
Subject: Fixed in NMU of imlib2 1.1.2-2.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 6 Jan 2005 16:29:53 -0500
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source i386
Version: 1.1.2-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
 libimlib2 - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 284925
Changes:
 imlib2 (1.1.2-2.1) unstable; urgency=HIGH
 .
   * NMU with the following changes taken from the Ubuntu patch by Martin Pitt
     Closes: #284925
   * SECURITY UPDATE: fix several buffer overflows
   * loaders/loader_bmp.c: check for negative image width/height
   * loaders/loader_xpm.c:
     - check for negative image attributes
     - check the length of the "col" buffer to avoid overflowing it
     - patch taken from upstream CVS
   * References:
     CAN-2004-1025
     CAN-2004-1026
Files:
 4e044b53efef6571d6754f660b04e1be 730 libs optional imlib2_1.1.2-2.1.dsc
 f7544bcfd3e37b180cb664b4bc2a193e 81653 libs optional imlib2_1.1.2-2.1.diff.gz
 e8042c1cc46f7ffd464d65e6287c31e4 188690 libs optional libimlib2_1.1.2-2.1_i386.deb
 ccccd58406e6dbdce73724d5b9ff03e2 605216 libdevel optional libimlib2-dev_1.1.2-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB3bIe2tp5zXiKP0wRAsLGAKDAQ21pewzIoMo0cT/CqVduBdQHVACgyqEg
yWkZ3yo0hIubBkIahMZjHQs=
=uH3I
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Sat, 5 Mar 2005 16:46:59 +0900 (KST)
From: =?ISO-2022-JP?B?GyRCPXc7UiUiJUo0aT1QJDcbKEI=?= <email address hidden>
To: <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-JP?B?GyRCOWIheyUiJUokLCQqR3EkaiNGI1UjQyNLInYbKEI=?=

�������������������������������������[���}�K�W���~��������������
�������@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@��
�����@�������‚��ɗ��o�I�H���̏��q�A�i�̖{�����B�f���������@�@ ����
���@�@�@�@�@�@�����������������������������������������@�@�@�@������
�@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�������������@�@�ɔ���!!���S�����܂����f���@�@�@��������������
��������������������������������������������������������������
�@
���@�@���A�����������̐��X�c�����܂Ŗ{���Ɍ����Ă��܂�Ă����̂��I�H
�@���@�J�������������炸�A���R�Ƒ��ȍs��������B�B
��
�@���@���́��������q�A�i�̃v���C�x�[�g�ȕ�������������ی����Ɂc�B
��
�@���@���̑��啨�^�����g�A�O���r�A�A�C�h���܂ł����X�Ɖa�H�ɂȂ�čs���B�B�B

�@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�B
�����T�̃C�`�I�V!!!
���������܂ł̌����u�Ԃ΂����W�߂����Q������o��
��
���ŐV�̃n�C�e�N�@�����������
���������v�T���̃J������u���Ă̗l�X�ȃA���O�������`�ʂɐ����������炵���قǍI���Ȉʒu�����X�i�b�v�V���b�g�́A���x���Q!!!

      http://tv.puchiphoto.org/?261941er9r
  �E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E���̉f���̏Ռ��ɃA�i�^�͂ǂ��܂őς����邩�H
��������
�@���������@�@�@���i�͂��Ԃ������Ȃ��ޏ��B���@�@�@�@�@�@�@�@�@�@�@��������
�@�@���������@�@�@�@�@�@�@�`���Ă͂����Ȃ�������炯�o���@�@�@�@�@��������
�@�@�@���������@�@�@�@���̂Ƃ��Ƃ��������ڂ̑O�Ɂ@�@�@�@�@��������
�@�@�@�@���������@�@�@�@�͂����ăA�i�^�͂������邩�c�@�@�@�@�@�@��������
�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@ ��������
��������������������������������������������������������������
�`���Ă͂����Ȃ��֒f�̐��E ��������������������������������������
��������������������������
�J�[�Z�b�N�XVS�z�e�����B
�l�C�̂Ȃ��ꏊ�ŌJ�����������s���̐��X�c
�����x�ԊO����ƒ����^�B���J�����������ߋ��������B�e�ɐ������̂��܂��߂��ɕ\���Ńo�b�`�����@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�����[���}�K�W���~�����E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E

�E�~���̓��[���}�K�W���̔z�M�X�^���h�ƂȂ�Ă����o�^���l���@���I�Ƀ��[���}�K�W����M���Ă������B
�E���ǂ͂��Љ��̃T�C�g�ɂ����邢���Ȃ����u���⑹�Q�ɑ΂��Ă�@���̐ӔC������˂܂��B
�E�f�ڏ��Ɋւ��Ă̂������͉����Ă���������@�\�߂������������B
�E�����[���}�K�W���Ɍf�ڂ��ꂽ�L���̈ꕔ�܂��͑S�������‚Ȃ��]�ڂ��邱�Ƃ�~�v���܂��B
�E �g�Ɋo���̂Ȃ��z�M�͂��������”\�����������܂�
�@�w�lj���̕����萔�ł������L�̃A�h���X�����O�C�����A
�@�����g�ł��葱���������B
�@
�@�@http://rin.m-blue.org/umeya/
��������������������������������������������������������������
��������������������������������������������������������������

Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 03:09:24 -0800
From: "sadfa" <email address hidden>
Subject: =?GB2312?B?gsOCrY2hk/qCzYNjg0OCxILIgqKCyIKfgsGCxJP6gqCC6ILcgreC5oLLgUmB?=

 =?GB2312?B?SA==?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Sun, 13 Mar 2005 19:09:25 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]

�T�C�t�Ȃ������������ޏ������ƃP���J����������D���Ȑl�ɍ��������̂Ƀt���ꂿ�����肻��Ƃ�
���Ȃ��Ȃ������܂����H�Ȃ��Ȃ��ӂ�������Ƃ��c
���ŔY�܂Ȃ��ł�����Ă݂āI�I�����ɂȂ邩���I
http://beauti-channel.com/l-f/
�l�̉\�����H�Ȃ�H����^��
�\��ċ����ł����I�H���̃��[�����O���B�̂��̖����E���������Ƃ��I�I
http://love-game-dream.com/uwasa2

�c�C�Ă��͂�����<email address hidden>

Message-Id: <email address hidden>
Date: Mon, 14 Mar 2005 17:56:44 -0800
From: "sada" <email address hidden>
Subject: =?GB2312?B?gUaRsZXSgsWCt4FCg2qDUoNiICiBS4GkgUspdiiBS4GkgUspdiBvKIFLgaSB?=

 =?GB2312?B?SylvIINDg0aBW4NDISE=?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Tue, 15 Mar 2005 09:56:47 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`
����\�I����E���T�I�����W�߂Č��܂���!!
�ޏ������ɂ��Ћ����Ă����ĂˁI
����������U�߂���ȁI�H
�L���o�����q����ł��j�I�H
�s�ϑ����Z�t���ł������H
�_��Ă��邠�̃R���������c
���ꂩ���荇�����̃R�ɉ����Ă����Ƃ��������I
http://miwaku-fruit.com/apple/
�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`
�����̖�����<email address hidden>
�܂Ń��[�����������B

Message-Id: <email address hidden>
Date: Tue, 15 Mar 2005 19:37:57 -0800
From: "safa" <email address hidden>
Subject: =?GB2312?B?gUaOR4p3kWaQsILngrWCoiEhkm2Or4KggumQbILBgsSCt4KygqKCyIFggsGC?=

 =?GB2312?B?xI52gqKC3IK3guaCyyE/?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: asfas@.com
Date: Wed, 16 Mar 2005 11:38:00 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]

�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/
�������ŎG�w�̂��b�����l�e!!
���̕Ћ����������ŁA
�����������ł����Ɠ������炢������!!
http://peach-naturalwater.com/that2v4/
���肰�ȁ`���������Ă݂悤!!
���肰�ȁ`�����������ɕ��������Ⴄ����
http://peach-naturalwater.com/that2v4/
�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/
�z�M����<email address hidden>

Message-Id: <email address hidden>
Date: Sat, 09 Apr 2005 06:40:32 -0700
From: "wriuiouewe" <email address hidden>
Subject: =?GB2312?B?gZ+Bno1zgquP6oLMgsiCojMwkeOlpaWJ34uOgvCC04LogqmCpoLrgqeBnoGf?=

 =?GB2312?B?gZ6BPw==?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Sat, 9 Apr 2005 21:40:21 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2615.200

��������������������������������������������������������������������
(ToT)/~~~
http://members.tripod.com/kusako

http://members.tripod.com/kusako
��������������������������������������
�Q�[���E�H�b�`�m���

��������������������������������������������������������������������

���[�����ۂ͂������ŁB
<email address hidden>
********************************************************************