KIOSlave FTP client can be made to send email

Message-ID: <email address hidden>
Date: Sat, 25 Dec 2004 14:00:01 -0500
From: Ian Gulliver <email address hidden>
To: <email address hidden>
Subject: KIOSlave FTP client can be made to send email

--ieNMXl1Fr3cevapt
Content-Type: multipart/mixed; boundary="CblX+4bnyfN0pR09"
Content-Disposition: inline

--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs
Version: 3.2.3-2
Severity: grave

The KIOSlave FTP client is vulnerable to the same exploit as Internet
Explorer:

http://lists.netsys.com/pipermail/full-disclosure/2004-December/030229.html

Anything that can pass an FTP URL to it, i.e. a malicious website viewed
in Konqueror, can cause it to send mail without user interaction. A
proposed, untested patch is attached.

--=20
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="kdelibs-3.2.3-ftp-fixed.patch"
Content-Transfer-Encoding: quoted-printable

--- kdelibs-3.2.3/kioslave/ftp/ftp.cc 2004-02-15 16:15:27.000000000 -0500
+++ kdelibs-3.2.3-ftp-fixed/kioslave/ftp/ftp.cc 2004-12-25 00:44:27.0000000=
00 -0500
@@ -652,6 +652,9 @@
 {
   assert( sControl > 0 );
=20
+ if (cmd.find('\r') !=3D -1 || cmd.find('\n') !=3D -1)
+ return false;
+
   QCString buf =3D cmd;
   buf +=3D "\r\n";
=20

--CblX+4bnyfN0pR09--

--ieNMXl1Fr3cevapt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBzbiwefI+qeoOjxURAnDdAJ98uPfcgnzhhWu6xmPaChvf7W6vKQCaAxJB
F9yG6jHeAtX6IEDfPn6gy5M=
=BikT
-----END PGP SIGNATURE-----

--ieNMXl1Fr3cevapt--

FYI

00:05 < Riddell> 22:59 < coolo> Riddell: it's true that konqueror is vulnerable
                 to the same bug, but it's not true that you
00:05 < Riddell> can send mail through it

Message-ID: <email address hidden>
Date: Sat, 25 Dec 2004 19:37:43 -0500
From: Ian Gulliver <email address hidden>
To: <email address hidden>
Subject: Tag missed in submission

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

package kdelibs
tags 287201 +security

--=20
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBzgfVefI+qeoOjxURAs4ZAJ4hs8FSQCfmCd9hFdl+wwzZx4GZwACgk/Hz
poaPEgNvq194P+eseJ7L2KI=
=uFe+
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--

a "better" patch from upstream http://bugs.kde.org/show_bug.cgi?id=95825

Marking as duplicate based on debbugs merge (285128,287201)

This bug has been marked as a duplicate of bug 11565.

Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 11:57:55 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: missing bits for the transition

# -|
# -|--> to be merged (sure?) ====> yes

### These two bugs are the same vulnerability, and that the bug
### really belongs to kdelibs, not konqueror/kdebase.

#285128: CAN-2004-1165: FTP command injection bug
reassign 285128 kdelibs
severity 285128 grave

#287201: KIOSlave FTP client can be made to send email
merge 285128 287201

stop here, and happy new year for you too

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Beauty, brains, availability, personality: pick any two.

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 12:12:10 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

#> we'll go with lowering to 'important', with an attached explanation.

#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important

#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important

#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important

thanks mate, see you again after the transition

  In agreement with the Release Team, I'm downgrading the severity of
  the above three security bugs in KDE to important, so that KDE 3.3 can
  enter sarge. See this thread [1] for more info.

    [1] http://lists.debian.org/debian-release/2005/01/msg00004.html

  The severity will be restored right after the transition, and uploads
  to sid will shortly follow. Just to say what is going to happen:
  kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
  security related). While buildds churn these two, a kdelibs 3.3.2-1
  upload to sid will be prepared, and uploaded as soon as kdebase+arts
  is built in all arches.

  We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
  Java Vulnerability) is not easily backportable to 3.3.1. Having
  kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
  in any case, we will test prior to uploading and the urgency won't be
  set to high.

  Cheers,

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: 10,000 Maniacs - don't talk

Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
                -- Alan Kay

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 09:48:48 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

# severity 285128 important
# severity 286516 important
# severity 286521 important
# thanks mate, see you again after the transition

# <vorlon> dato: would you care to bump those security bugs back up to RC severity?

severity 285128 grave
severity 286516 grave
severity 286521 grave

thanks. vorlon: done

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Don't be irreplaceable, if you can't be replaced, you can't be promoted.

Message-ID: <email address hidden>
Date: Wed, 5 Jan 2005 19:11:41 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: [patch] KDE ftp kioslave applies to woody as well

--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,
this applies to woody as well. Attached you can find the backported upstream
patch against 2.2.2. BTW, this is CAN-2004-1165.

Cheers,
        Moritz

--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="kdelibs-kioslave-ftp-CAN-2004-1156.patch"

diff -Naur kdelibs-2.2.2.orig/kio/ftp/ftp.cc kdelibs-2.2.2/kio/ftp/ftp.cc
--- kdelibs-2.2.2.orig/kio/ftp/ftp.cc Wed Jan 5 12:29:07 2005
+++ kdelibs-2.2.2/kio/ftp/ftp.cc Wed Jan 5 12:28:25 2005
@@ -596,6 +596,14 @@
 {
   assert( sControl > 0 );

+ if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+ {
+ kdWarning(7102) << "Invalid command received (contains CR or LF): "
+ << cmd.data() << endl;
+ error( ERR_UNSUPPORTED_ACTION, m_host );
+ return false;
+ }
+
   QCString buf = cmd;
   buf += "\r\n";

--NzB8fVQJ5HfG6fxh--

Message-ID: <email address hidden>
Date: Thu, 6 Jan 2005 16:49:21 +0100
From: Martin Schulze <email address hidden>
To: Moritz Muehlenhoff <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: [patch] KDE ftp kioslave applies to woody as well

Moritz Muehlenhoff wrote:
> Hi,
> this applies to woody as well. Attached you can find the backported upstream
> patch against 2.2.2. BTW, this is CAN-2004-1165.
>
> Cheers,
> Moritz

> diff -Naur kdelibs-2.2.2.orig/kio/ftp/ftp.cc kdelibs-2.2.2/kio/ftp/ftp.cc
> --- kdelibs-2.2.2.orig/kio/ftp/ftp.cc Wed Jan 5 12:29:07 2005
> +++ kdelibs-2.2.2/kio/ftp/ftp.cc Wed Jan 5 12:28:25 2005
> @@ -596,6 +596,14 @@
> {
> assert( sControl > 0 );
>
> + if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
> + {
> + kdWarning(7102) << "Invalid command received (contains CR or LF): "
> + << cmd.data() << endl;
> + error( ERR_UNSUPPORTED_ACTION, m_host );
> + return false;
> + }
> +
> QCString buf = cmd;
> buf += "\r\n";

Thanks, that was on my agenda as well. Working on it now.

Please
 . update the package in sid
 . mention the CVE id from the subject in the changelog
 . tell me the version number of the fixed package
 . use priority=high
 . no need to upload into sarge directly, except the version in
   sid is not meant to go into testing

Regards,

 Joey

--
Let's call it an accidental feature. -- Larry Wall

Message-ID: <email address hidden>
Date: Thu, 6 Jan 2005 21:51:59 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: Martin Schulze <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#287201: [patch] KDE ftp kioslave applies to woody as well

* Martin Schulze [Thu, 06 Jan 2005 16:49:21 +0100]:

> Please
> . update the package in sid
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
> . use priority=3Dhigh
> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing

  I recommend that you don't wait for the unstable package to be
  uploaded, since we need to hold it up until the latest kdebase and
  arts packages are built on all arches (#98 and #88 in the sparc queue,
  #18 and #14 in mipsel, the m68k buildd that picked kdebase is "fast").

  Of course, you may want to mail us just before the stable security
  update happens, in case we're ready to go then. Is there an ETA for it
  already?

  Thanks.

--=20
Adeodato Sim=F3
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: Miguel Bos=E9 - Nada particular
=20
=46rom the moment I picked your book up until I put it down I was
convulsed with laughter. Some day I intend reading it.
                -- Groucho Marx

Message-ID: <email address hidden>
Date: Fri, 7 Jan 2005 08:59:36 +0100
From: Martin Schulze <email address hidden>
To: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#287201: [patch] KDE ftp kioslave applies to woody as well

Adeodato Sim=F3 wrote:
> * Martin Schulze [Thu, 06 Jan 2005 16:49:21 +0100]:
>=20
> > Please
> > . update the package in sid
> > . mention the CVE id from the subject in the changelog
> > . tell me the version number of the fixed package
> > . use priority=3Dhigh
> > . no need to upload into sarge directly, except the version in
> > sid is not meant to go into testing
>=20
> I recommend that you don't wait for the unstable package to be
> uploaded, since we need to hold it up until the latest kdebase and
> arts packages are built on all arches (#98 and #88 in the sparc queue=
,
> #18 and #14 in mipsel, the m68k buildd that picked kdebase is "fast")=
.

I won't wait unless I get a notice.

> Of course, you may want to mail us just before the stable security
> update happens, in case we're ready to go then. Is there an ETA for i=
t
> already?

It depends how fast packages are built on our 11 architectures and
if there are problems. For example, on i386 I just noticed:

Checking kdelibs3_2.2.2-13.woody.13_i386.deb against stable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Files in second .deb but not in first
-------------------------------------
/usr/lib/libgmcop.la
/usr/lib/libgmcop.so
/usr/lib/libgmcop.so.0
/usr/lib/libgmcop.so.0.0.0

I have no idea where this library comes from.

Regards,

 Joey

--=20
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

Message-Id: <email address hidden>
Date: Sun, 9 Jan 2005 01:22:56 +0100
From: Adeodato Simó <email address hidden>
To: <email address hidden>
Subject: setting package to kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev
 kdelibs4-doc ... ... ... ... ... ... ... ...

# Automatically generated email from bts, devscripts version 2.8.6
package kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc
tags 263430 + pending
tags 285128 + pending
tags 286521 + pending
tags 287097 + pending
tags 287201 + pending
tags 287566 + pending
tags 288653 + pending
tags 289164 + pending

Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 10:40:48 -0700
From: <email address hidden> (Bob Proulx)
To: <email address hidden>, <email address hidden>
Subject: Re: [SECURITY] [DSA 631-1] New kdlibs packages fix arbitrary FTP command execution

--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

> Package : kdelibs
> Debian Bug : 287201
> ...
> For the stable distribution (woody) this problem has been fixed in
> version 2.2.2-13.woody.13.

This fails to upgrade for me. It seems I don't have libarts
installed. This package introduces four new files and a change and
increase in dependencies to now include new libraries.

This breaks 'upgrade' semantics. It now requires a 'dist-upgrade'.
This surely was not intentional.

Here is what debdiff says.

  debdiff kdelibs3_2.2.2-13.woody.12_i386.deb kdelibs3_2.2.2-13.woody.13_i386.deb

  Files in second .deb but not in first
  -------------------------------------
  /usr/lib/libgmcop.la
  /usr/lib/libgmcop.so
  /usr/lib/libgmcop.so.0
  /usr/lib/libgmcop.so.0.0.0

  The following lines in the control files differ (wdiff output format):
  ----------------------------------------------------------------------
  Version: [-4:2.2.2-13.woody.12-] {+4:2.2.2-13.woody.13+}
  Depends: {+libarts (>= 4:2.2.2-1) | libarts-alsa (>= 4:2.2.2-1),+} libbz2-1.0, libc6 (>= 2.2.4-4), libfam0, {+libglib2.0-0 (>= 2.0.1),+} libjpeg62, libpcre3, libpng2(>=1.0.12), libqt2 (>= 3:2.3.1-1), libstdc++2.10-glibc2.2 (>= 1:2.95.4-0.010810), libtiff3g, libxml2 (>= 2.4.19-4), libxslt1 (>= 1.0.16), xlibs (>> 4.1.0), zlib1g (>= 1:1.1.4), kdelibs3-bin | kdelibs-bin, xbase-clients
  Installed-Size: [-23972-] {+24032+}

Should a new update with a correction be issued?

Bob

P.S. By the way, note the misspelled "kdlibs" in the subject.

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB4r4g0pRcO8E2ULYRAitzAJ9KtcppegpYFjnV1ZSOQNHmRfYlSACfZaE4
vh+FqXFCLPalwWpDE/MRWlU=
=2oTl
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--

Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#285128: fixed in kdelibs 4:3.3.2-1

Source: kdelibs
Source-Version: 4:3.3.2-1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
 kdelibs (4:3.3.2-1) unstable; urgency=medium
 .
   +++ Changes by Adeodato Simó:
 .
   * Uploading to unstable. This new upstream version fixes CAN-2004-1145,
     "Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
     to medium for this reason (the package has been in experimental for some
     time, and has been checked to work properly with the rest of 3.3.1
     packages).
 .
   * debian/control:
     - make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
       3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
 .
   * debian/kdelibs-data.install: the files added in the previous upload were
     checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
     version in sarge. Reverted them for n...

Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 17:02:25 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#287201: fixed in kdelibs 4:3.3.2-1

Source: kdelibs
Source-Version: 4:3.3.2-1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
 kdelibs (4:3.3.2-1) unstable; urgency=medium
 .
   +++ Changes by Adeodato Simó:
 .
   * Uploading to unstable. This new upstream version fixes CAN-2004-1145,
     "Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
     to medium for this reason (the package has been in experimental for some
     time, and has been checked to work properly with the rest of 3.3.1
     packages).
 .
   * debian/control:
     - make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
       3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
 .
   * debian/kdelibs-data.install: the files added in the previous upload were
     checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
     version in sarge. Reverted them for n...