insecure temporary file usage in gettextize and autopoint

Automatically imported from Debian bug report #278283 http://bugs.debian.org/278283

Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 17:07:59 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: insecure temporary file usage in gettextize and autopoint

--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: gettext
Version: 0.14.1-5
Severity: serious
Tags: security

CAN-2004-0966 describes some insecure uses of temporary files by
autopoint and gettextize. We seem to be vulnerable, it's stupidity like
this:

        { echo "#! /bin/sh"; echo "exit 0"; } > /tmp/conf$$.sh

There is a patch here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D136323

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)

Versions of packages gettext depends on:
ii gettext-base 0.14.1-5 GNU Internationalization utili=
ties
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an

-- no debconf information

--=20
see shy jo

--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfWsvd8HHehbQuO8RAgiQAJ9nAgNeP8A4yeNY6BKYZ43B6r3IDACgmOKx
NxxF1K9VXkCTmxddaawzN5M=
=FlnA
-----END PGP SIGNATURE-----

--cNdxnHkX5QqsyA0e--

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 01:23:58 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Bug#278283: insecure temporary file usage in gettextize and autopoint
 (fwd)

Hello.

I received this from the Debian bug system.
[ Please keep the Cc: lines when replying. Thanks ].

---------- Forwarded message ----------
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Date: Mon, 25 Oct 2004 17:07:59 -0400
Subject: Bug#278283: insecure temporary file usage in gettextize and autopoint

Package: gettext
Version: 0.14.1-5
Severity: serious
Tags: security

CAN-2004-0966 describes some insecure uses of temporary files by
autopoint and gettextize. We seem to be vulnerable, it's stupidity like
this:

        { echo "#! /bin/sh"; echo "exit 0"; } > /tmp/conf$$.sh

There is a patch here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages gettext depends on:
ii gettext-base 0.14.1-5 GNU Internationalization utilities
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an

-- no debconf information

--
see shy jo

Created an attachment (id=604)
interdiff to fix this

patch based on the Fedora patch, with a slight improvement (mktemp ... || exit
1). Works fine.

Awaiting approval.

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:49:55 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Patch

--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 278283 patch
thanks

I just prepared an updated Ubuntu package.=20

A package interdiff which corrects the error is in our bug tracking system:
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D2745

Have a nice day,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfivTDecnbV4Fd/IRAjhVAJoCxOhDa1UvI+e7YeunzJD/GKOjRwCdHFO1
uP8DuONaGCHAHOQtqmTYLsk=
=+apI
-----END PGP SIGNATURE-----

--2fHTh5uZTiUOsy+g--

Uploaded to Warty with Jeff's permission:
 gettext (0.14.1-2ubuntu0.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: insecure temporary file and directory handling
     (Warty bug #9448)
   * patch based on the Fedora update by Mark J. Cox, thanks
   * gettext-tools/misc/autopoint.in, gettext-tools/misc/gettextize.in:
     method to determine PATH separator created temporary file in an insecure
     way; replaced the whole detection part with a simple hardcoding of ':'
     (Unix standard)
   * gettext-tools/misc/autopoint.in:
     - use mktemp to create temporary file (instead of construction with $$)
     - check the success of all mkdir calls to protect against symlink attacks
   * References:
     CAN-2004-0966
     http://bugs.debian.org/278283

So this is fixed in Warty, but it must still be fixed in Hoary. Leaving open and
adjusting.

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 14:41:33 +0200
From: Bruno Haible <email address hidden>
To: Santiago Vila <email address hidden>, <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Joey Hess wrote:
> CAN-2004-0966 describes some insecure uses of temporary files by
> autopoint and gettextize. We seem to be vulnerable, it's stupidity like
> this:
>
> { echo "#! /bin/sh"; echo "exit 0"; } > /tmp/conf$$.sh
>
> There is a patch here:
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323

Thanks for the report. The patch may be applicable to RedHat and/or Debian.
It is not applicable in general, however: 'mktemp' is not portable, and
removing support for Woe32 platforms is undesirable as well.

Do you have a suggestion how to create temporary files in /tmp in a
secure way, even on platforms without 'mktemp' program?

Bruno

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 15:22:28 +0200
From: Alexandre Duret-Lutz <email address hidden>
To: Bruno Haible <email address hidden>
Cc: Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

On Tue, Oct 26, 2004 at 02:41:33PM +0200, Bruno Haible wrote:
>
> Do you have a suggestion how to create temporary files in /tmp in a
> secure way, even on platforms without 'mktemp' program?

Here is what AS_TMPDIR([foo]) produces.

# Create a temporary directory, and hook for its removal unless debugging.
$debug ||
{
  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
  trap '{ (exit 1); exit 1; }' 1 2 13 15
}

# Create a (secure) tmp directory for tmp files.
: ${TMPDIR=/tmp}
{
  tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` &&
  test -n "$tmp" && test -d "$tmp"
} ||
{
  tmp=$TMPDIR/foo$$-$RANDOM
  (umask 077 && mkdir $tmp)
} ||
{
   echo "$me: cannot create a temporary directory in $TMPDIR" >&2
   { (exit 1); exit 1; }
}

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 15:40:46 +0200
From: Bruno Haible <email address hidden>
To: Alexandre Duret-Lutz <email address hidden>
Cc: Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Upon the question:
> > Do you have a suggestion how to create temporary files in /tmp in a
> > secure way, even on platforms without 'mktemp' program?

Alexandre Duret-Lutz wrote:
> Here is what AS_TMPDIR([foo]) produces.

Aha! So you mean to say, the only way to securely create a file using usual
shell script constructs like

   filename=`command to compute a temp filename`
   echo "some contents" > $filename

is to make filename sit in a temporary directory under /tmp, not directly
in /tmp ?

> # Create a temporary directory, and hook for its removal unless debugging.
> $debug ||
> {
> trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
> trap '{ (exit 1); exit 1; }' 1 2 13 15
> }
>
> # Create a (secure) tmp directory for tmp files.
>
> : ${TMPDIR=/tmp}
>
> {
> tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` &&
> test -n "$tmp" && test -d "$tmp"
> } ||
> {
> tmp=$TMPDIR/foo$$-$RANDOM
> (umask 077 && mkdir $tmp)
> } ||
> {
> echo "$me: cannot create a temporary directory in $TMPDIR" >&2
> { (exit 1); exit 1; }
> }

Not bad, but still not perfect: mktemp is not a POSIX standardized
utility, and $RANDOM is bash specific. So what do you propose on POSIX
systems without mktemp and bash? Just fall back on the unsecure foo$$
pattern? Or ship an mktemp.c with the package, to be compiled by
'configure' very early?

It would be nice if we could write up the result of this discussion, when
finished, in the autoconf manual.
http://www.gnu.org/software/autoconf/manual/autoconf-2.57/html_chapter/autoconf_10.html

Bruno

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 10:10:23 -0400 (EDT)
From: Thomas Dickey <email address hidden>
To: Bruno Haible <email address hidden>
cc: Alexandre Duret-Lutz <email address hidden>, <email address hidden>,
 Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and
 autopoint (fwd)

On Tue, 26 Oct 2004, Bruno Haible wrote:

> is to make filename sit in a temporary directory under /tmp, not directly
> in /tmp ?

For the truly paranoid, even that is not sufficient.
>
> Not bad, but still not perfect: mktemp is not a POSIX standardized
> utility, and $RANDOM is bash specific. So what do you propose on POSIX
> systems without mktemp and bash? Just fall back on the unsecure foo$$
> pattern? Or ship an mktemp.c with the package, to be compiled by
> 'configure' very early?
>
> It would be nice if we could write up the result of this discussion, when
> finished, in the autoconf manual.
> http://www.gnu.org/software/autoconf/manual/autoconf-2.57/html_chapter/autoconf_10.html
>
> Bruno
>
>
>
> _______________________________________________
> Autoconf mailing list
> <email address hidden>
> http://lists.gnu.org/mailman/listinfo/autoconf
>

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 11:00:03 -0400
From: <email address hidden> (Paul Jarc)
To: Bruno Haible <email address hidden>
Cc: Alexandre Duret-Lutz <email address hidden>, <email address hidden>,
 Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Bruno Haible <email address hidden> wrote:
> Not bad, but still not perfect: mktemp is not a POSIX standardized
> utility, and $RANDOM is bash specific.

What sort of threat are you trying to defend against? Even if mktemp
is not available, and even if $RANDOM is empty, mkdir will still
either create a new directory or correctly fail. It won't let you use
an existing directory (or symlink to a directory).

paul

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 17:11:20 +0200
From: Alexandre Duret-Lutz <email address hidden>
To: Bruno Haible <email address hidden>
Cc: <email address hidden>, Santiago Vila <email address hidden>,
 <email address hidden>, <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

On Tue, Oct 26, 2004 at 03:40:46PM +0200, Bruno Haible wrote:
>
> Aha! So you mean to say, the only way to securely create a file using usual
> shell script constructs like
>
> filename=`command to compute a temp filename`
> echo "some contents" > $filename
>
> is to make filename sit in a temporary directory under /tmp, not directly
> in /tmp ?

I don't know, but that's what I would do anyway.

Something like

   set -C
   umask 077
   echo "some contents" > $filename && ...

seems to work with my shell, but you can google reports about "set -C"
not being portable. Also reading Posix it's not clear to me whether this
is really expected to fail when $filename is a symlink.

> > {
> > tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` &&
> > test -n "$tmp" && test -d "$tmp"
> > } ||
> > {
> > tmp=$TMPDIR/foo$$-$RANDOM
> > (umask 077 && mkdir $tmp)
> > } ||
> > {
> > echo "$me: cannot create a temporary directory in $TMPDIR" >&2
> > { (exit 1); exit 1; }
> > }
>
> Not bad, but still not perfect: mktemp is not a POSIX standardized
> utility, and $RANDOM is bash specific. So what do you propose on POSIX
> systems without mktemp and bash? Just fall back on the unsecure foo$$
> pattern?

Doesn't this happen when $RANDOM is undefined?

Why do you call this unsecure? Either the directory already exists
and your script aborts, or the directory is created with safe permissions.

If someone created all the possible foo$$ patterns, or simply filled
/tmp up, you can always suggest the user to set TMPDIR to some
directory of his.

> Or ship an mktemp.c with the package, to be compiled by 'configure'
> very early?

Hell, no! :)

> It would be nice if we could write up the result of this discussion, when
> finished, in the autoconf manual.
> http://www.gnu.org/software/autoconf/manual/autoconf-2.57/html_chapter/autoconf_10.html

Would be helpful, unless it boils down to "use AS_TMPDIR". (I mention
this because in the past the discussion about "dirname" included a
shell snippet showing how to emulate it, and this has now been
replaced by "use AS_DIRNAME" which is less instructive.)

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 19:56:53 +0200
From: Bruno Haible <email address hidden>
To: Thomas Dickey <email address hidden>
Cc: Alexandre Duret-Lutz <email address hidden>, <email address hidden>,
 Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Thomas Dickey wrote:
> > is to make filename sit in a temporary directory under /tmp, not directly
> > in /tmp ?
>
> For the truly paranoid, even that is not sufficient.

Why? The creation of the temp directory cannot erase a file, and once the
directory is created with mode 077, an attacker cannot place a symlink into
it. What kind of attack is still possible with a temp directory with mode 077?
Can you please explain?

Bruno

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 14:32:32 -0400 (EDT)
From: Thomas Dickey <email address hidden>
To: Bruno Haible <email address hidden>
cc: Alexandre Duret-Lutz <email address hidden>, <email address hidden>,
 Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and
 autopoint (fwd)

On Tue, 26 Oct 2004, Bruno Haible wrote:

> Thomas Dickey wrote:
> > > is to make filename sit in a temporary directory under /tmp, not directly
> > > in /tmp ?
> >
> > For the truly paranoid, even that is not sufficient.
>
> Why? The creation of the temp directory cannot erase a file, and once the
> directory is created with mode 077, an attacker cannot place a symlink into
> it. What kind of attack is still possible with a temp directory with mode 077?
> Can you please explain?

On some systems (none recent), I recall that you could still rename the
directory (and put a link to your favorite location).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 20:37:01 +0200
From: Bruno Haible <email address hidden>
To: Alexandre Duret-Lutz <email address hidden>
Cc: <email address hidden>, Santiago Vila <email address hidden>,
 <email address hidden>, <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Alexandre Duret-Lutz wrote:

> Why do you call this unsecure? Either the directory already exists
> and your script aborts, or the directory is created with safe permissions.

You're right, sorry. I was confused by the presence of $RANDOM. Now I see
that the purpose of $RANDOM is only to decrease the probability of failure,
not to increase security: Creating a directory with mode 077 is all that's
needed for security.

> > It would be nice if we could write up the result of this discussion, when
> > finished, in the autoconf manual.
> > http://www.gnu.org/software/autoconf/manual/autoconf-2.57/html_chapter/autoconf_10.html
>
> Would be helpful, unless it boils down to "use AS_TMPDIR".

Well, there are uses of shell scripts outside of autoconf. autoconf.info
chapter 10 is also a valuable handbook for them. References to AS_* macros
are less useful in this context.

How about this?

*** autoconf/doc/autoconf.texi.bak 2004-10-12 13:50:46.000000000 +0200
--- autoconf/doc/autoconf.texi 2004-10-26 20:30:58.000000000 +0200
***************
*** 11581,11586 ****
--- 11581,11623 ----
  older versions are not thread-safe either).

+ @item @command{mktemp}
+ @c -------------------
+ @prindex @command{mktemp}
+ @cindex Creating temporary files
+ The command @command{mktemp} exists only on a few systems. A portable
+ way to create a temporary file name into which it is safe to write,
+ protecting against symlink attacks, is to create a temporary directory
+ with mode 700 and use a file inside this directory.
+
+ Here is sample code to securely create a temporary directory:
+
+ @example
+ # Use the environment variable TMPDIR, falling back to /tmp. This allows
+ # users to specify a different temporary directory, for example, if their
+ # /tmp is filled up or too small.
+ : $@{TMPDIR=/tmp@}
+ @{
+ # Use the mktemp program if available. If not available, hide the error
+ # message.
+ tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` &&
+ test -n "$tmp" && test -d "$tmp"
+ @} ||
+ @{
+ # Use a simple mkdir command. It is guaranteed to fail if the directory
+ # already exists. $RANDOM is bash specific and expands to empty in shells
+ # other than bash. Its use does not increase security; rather, it
+ # minimizes the probability of failure in a very cluttered /tmp directory.
+ tmp=$TMPDIR/foo$$-$RANDOM
+ (umask 077 && mkdir "$tmp")
+ @} ||
+ @{
+ echo "$0: cannot create a temporary directory in $TMPDIR" >&2
+ @{ (exit 1); exit 1; @}
+ @}
+ @end example
+
+
  @item @command{mv}
  @c ---------------
  @prindex @command{mv}

Bruno

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 20:49:36 +0200
From: Bruno Haible <email address hidden>
To: Thomas Dickey <email address hidden>
Cc: Alexandre Duret-Lutz <email address hidden>, <email address hidden>,
 Santiago Vila <email address hidden>, <email address hidden>,
 <email address hidden>, Joey Hess <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)

Thomas Dickey wrote:
> On some systems (none recent), I recall that you could still rename the
> directory (and put a link to your favorite location).

These must be systems on which the sticky bit on a directory (the 't' bit)
doesn't work. I don't attempt to write secure code for such platforms.

Bruno

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:27:37 -0700
From: Paul Eggert <email address hidden>
To: Alexandre Duret-Lutz <email address hidden>
Cc: <email address hidden>, <email address hidden>,
        <email address hidden>
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and
 autopoint (fwd)

Alexandre Duret-Lutz <email address hidden> writes:

> Also reading Posix it's not clear to me whether this [set -C]
> is really expected to fail when $filename is a symlink.

More to the point, "set -C" doesn't work in practice to avoid
clobbering $filename if $filename is a special file, or a symlink to a
special file; and POSIX clearly permits this behavior.

Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 14:02:04 -0400
From: Santiago Vila <email address hidden>
To: <email address hidden>
Subject: Bug#278283: fixed in gettext 0.14.1-6

Source: gettext
Source-Version: 0.14.1-6

We believe that the bug you reported is fixed in the latest version of
gettext, which is due to be installed in the Debian FTP archive:

gettext-base_0.14.1-6_i386.deb
  to pool/main/g/gettext/gettext-base_0.14.1-6_i386.deb
gettext-doc_0.14.1-6_all.deb
  to pool/main/g/gettext/gettext-doc_0.14.1-6_all.deb
gettext-el_0.14.1-6_all.deb
  to pool/main/g/gettext/gettext-el_0.14.1-6_all.deb
gettext_0.14.1-6.diff.gz
  to pool/main/g/gettext/gettext_0.14.1-6.diff.gz
gettext_0.14.1-6.dsc
  to pool/main/g/gettext/gettext_0.14.1-6.dsc
gettext_0.14.1-6_i386.deb
  to pool/main/g/gettext/gettext_0.14.1-6_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <email address hidden> (supplier of updated gettext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Oct 2004 19:21:30 +0200
Source: gettext
Binary: gettext-doc gettext gettext-base gettext-el
Architecture: source all i386
Version: 0.14.1-6
Distribution: unstable
Urgency: high
Maintainer: Santiago Vila <email address hidden>
Changed-By: Santiago Vila <email address hidden>
Description:
 gettext - GNU Internationalization utilities
 gettext-base - GNU Internationalization utilities for the base system
 gettext-doc - Documentation for GNU gettext
 gettext-el - Emacs po-mode for editing .po files
Closes: 269059 270886 278283
Changes:
 gettext (0.14.1-6) unstable; urgency=high
 .
   * Fixed xgettext misparsing of perl source (Closes: #269059).
     Patch by Guido Flohr, approved by Bruno Haible.
   * Added Suggests: gettext-doc to gettext (Closes: #270886).
   * Improved description of gettext-doc (Bug #270886 also).
   * Fixed gettextize and autopoint insecure behaviour regarding
     temp files (Closes: #278283). This is CAN-2004-0966.
     Patch by Mark J. Cox, slightly modified by Martin Pitt.
     The patch hardcodes `:' as the PATH separator, so it will not work
     on non-Unix Debian architectures (sorry), but should be good enough
     for the 11 architectures in sarge, the Hurd and the *BSDs.
Files:
 76f35916dd445f979588deaeaa2cab45 662 devel optional gettext_0.14.1-6.dsc
 05031a8afee8471be4e39579a3c566de 128120 devel optional gettext_0.14.1-6.diff.gz
 bc2c8c3a778399f060d245c7f41c3d62 45532 devel optional gettext-el_0.14.1-6_all.deb
 93e574b7a20bce6dac6aaf53574f16f8 639238 doc optional gettext-doc_0.14.1-6_all.deb
 1dca0639ea7650cb84e4094233bc0da4 91134 base standard gettext-base_0.14.1-6_i386.deb
 27b8c77dcd034c98448c5eca76b7df7b 1555370 devel...

Fixed in Hoary by recent sid sync.