Mailing List Archive

On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
[...]
> .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> allow_insecure_tainted_data = yes
> .endif
[...]
> But as soon as the work stabilizes, it will be merged into the upstream
> source. (For now, please expect changes in the commit history!)
[...]
> Suggestions, question, remarks are welcome.

Thank you Heiko!

I plan to add this to the next Debian release but without "taintwarn:
set allow_insecure_data = true for 4.94+fixes". - I think it will work
out better if we have a big fat warning

| Consider this a major exim release, almost all customized configurations
| will require changes ...

and a note on how to *temporary* work around this by setting
allow_insecure_tainted_data in advance.

If I do not do this I expect a neverending list of reports about either
spammed logfile or breakage reports on 4.95.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
[...]
> .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> allow_insecure_tainted_data = yes
> .endif
[...]
> Suggestions, question, remarks are welcome.

Nitpicks:
* The changes to doc/NewStuff should not be on +fixes.
* typos in spec.xftp: s/acessing/accessing/

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andreas Metzler via Exim-users <exim-users@exim.org> (Sa 10 Apr 2021 18:06:05 CEST):
> On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
> [...]
> > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> > allow_insecure_tainted_data = yes
> > .endif
> [...]
> > Suggestions, question, remarks are welcome.
>
> Nitpicks:
> * The changes to doc/NewStuff should not be on +fixes.
> * typos in spec.xftp: s/acessing/accessing/

Ok, I'll fix that, thank you.

--
Heiko

Andreas Metzler via Exim-users <exim-users@exim.org> (Sa 10 Apr 2021 17:37:56 CEST):
> On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
> [...]
> > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> > allow_insecure_tainted_data = yes
> > .endif
> [...]
> > But as soon as the work stabilizes, it will be merged into the upstream
> > source. (For now, please expect changes in the commit history!)
> [...]
> > Suggestions, question, remarks are welcome.
>
> Thank you Heiko!
>
> I plan to add this to the next Debian release but without "taintwarn:
> set allow_insecure_data = true for 4.94+fixes". - I think it will work
> out better if we have a big fat warning

It would be good if we find more testers.
Anybody out there?

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
[...]
> .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> allow_insecure_tainted_data = yes
> .endif

Hello,

I just did a test build on the fixes branch, added the
allow_insecure_tainted_data setting and changed the mail_spool
transport:
- file = /var/mail/$local_part_data
+ file = /var/mail/$local_part

Success was limited though. Without the patch the message delivery is
deferred. With the patch the message is frozen for
"allow_insecure_tainted_data = yes" (log file excerpt below).

==> /var/log/exim4/mainlog <==
2021-04-11 08:26:08 1lVTXs-000F7W-0D <= ametzler@bebt.de H=localhost (argenau.bebt.de) [::1] P=esmtp S=476 id=20210411082607.058125@argenau.bebt.de
2021-04-11 08:26:08 1lVTXs-000F7W-0D failed to read delivery status for ametzler@localhost from delivery subprocess

Debug log:
08:26:08 58128 R: local_user for ametzler@localhost
08:26:08 58128 calling local_user router
08:26:08 58128 local_user router called for ametzler@localhost
08:26:08 58128 domain = localhost
08:26:08 58128 set transport mail_spool
08:26:08 58128 queued for mail_spool transport: local_part = ametzler
08:26:08 58128 domain = localhost
08:26:08 58128 errors_to=NULL
08:26:08 58128 domain_data=localhost local_part_data=ametzler
08:26:08 58128 routed by local_user router
08:26:08 58128 envelope to: ametzler@localhost
08:26:08 58128 transport: mail_spool
08:26:08 58128 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
08:26:08 58128 After routing:
08:26:08 58128 Local deliveries:
08:26:08 58128 ametzler@localhost
08:26:08 58128 Remote deliveries:
08:26:08 58128 Failed addresses:
08:26:08 58128 Deferred addresses:
08:26:08 58128 search_tidyup called
08:26:08 58128 >>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>
08:26:08 58128 --------> ametzler@localhost <--------
08:26:08 58128 locking /var/spool/exim4/db/retry.lockfile
08:26:08 58128 locked /var/spool/exim4/db/retry.lockfile
08:26:08 58128 EXIM_DBOPEN: file </var/spool/exim4/db/retry> dir </var/spool/exim4/db> flags=O_RDONLY
08:26:08 58128 returned from EXIM_DBOPEN: 0x55693f0b8380
08:26:08 58128 opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
08:26:08 58128 dbfn_read: key=T:ametzler@localhost
08:26:08 58128 retry record exists: age=5m11s (max 1w)
08:26:08 58128 time to retry = 9m49s expired = 0
08:26:08 58128 EXIM_DBCLOSE(0x55693f0b8380)
08:26:08 58128 closed hints database and lockfile
08:26:08 58128 search_tidyup called
08:26:08 58128 daemon-accept-delivery forking for delivery-local
08:26:08 58128 daemon-accept-delivery forked for delivery-local: 58130
08:26:08 58130 postfork: delivery-local
08:26:08 58130 changed uid/gid: local delivery to ametzler <ametzler@localhost> transport=mail_spool
08:26:08 58130 uid=1001 gid=8 pid=58130
08:26:08 58130 auxiliary group list: <none>
08:26:08 58130 home=/home/ametzler current=/home/ametzler
08:26:08 58130 set_process_info: 58130 delivering 1lVTXs-000F7W-0D to ametzler using mail_spool
08:26:08 58130 ?considering: T: appendfile for $local_part@$domain
08:26:08 58130 ???expanding: T: appendfile for $local_part@$domain
08:26:08 58130 ??????result: T: appendfile for ametzler@localhost
08:26:08 58130 ???(tainted)
08:26:08 58130 T: appendfile for ametzler@localhost
08:26:08 58130 appendfile transport entered
08:26:08 58130 ?considering: /var/mail/$local_part
08:26:08 58130 ???expanding: /var/mail/$local_part
08:26:08 58130 ??????result: /var/mail/ametzler
08:26:08 58130 ???(tainted)
08:26:08 58130 LOG: MAIN
08:26:08 58130 Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
2021-04-11 08:26:08 1lVTXs-000F7W-0D Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
08:26:08 58130 appendfile: mode=660 notify_comsat=0 quota=0 warning=0
08:26:08 58130 file=/var/mail/ametzler format=unix
08:26:08 58130 message_prefix=From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n
08:26:08 58130 message_suffix=\n
08:26:08 58130 maildir_use_size_file=no
08:26:08 58130 locking by lockfile fcntl
08:26:08 58130 lock name: /var/mail/ametzler.lock
08:26:08 58130 hitch name: /var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312
08:26:08 58130 LOG: MAIN
08:26:08 58130 Warning: Tainted filename '/var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312'
08:26:08 58128 LOG: MAIN PANIC
08:26:08 58128 failed to read delivery status for ametzler@localhost from delivery subprocess
08:26:08 58128 LOG: MAIN PANIC
08:26:08 58128 appendfile transport process returned non-zero status 0x0100: exit code 1
08:26:08 58128 mail_spool transport returned DEFER for ametzler@localhost
08:26:08 58128 added retry item for T:ametzler@localhost: errno=-1 more_errno=0 flags=0
08:26:08 58128 post-process ametzler@localhost (1)
08:26:08 58128 LOG: MAIN
08:26:08 58128 == ametzler@localhost R=local_user T=mail_spool defer (-1)

BTW the build-log with patch is very noisy:
-------------------
cc -c -g -O2 -ffile-prefix-map=/dev/shm/EXIM4/exim-4.94=. -fstack-protector-strong -Wformat -Werror=format-security -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -Wdate-time -D_FORTIFY_SOURCE=2 -fvisibility=hidden -DCOMPILE_UTILITY -o util-spool_in.o spool_in.c
In file included from exim.h:486,
from spool_in.c:13:
functions.h: In function 'is_tainted2':
functions.h:1098:80: warning: pointer targets in passing argument 6 of 'string_vformat_trc' differ in signedness [-Wpointer-sign]
1098 | msg = string_from_gstring(string_vformat(NULL, SVFMT_TAINT_NOCHK|SVFMT_EXTEND, fmt, ap));
| ^~~
| |
| const uschar * {aka const unsigned char *}
functions.h:550:39: note: in definition of macro 'string_vformat'
550 | STRING_SPRINTF_BUFFER_SIZE, flgs, fmt, ap)
| ^~~
functions.h:552:24: note: expected 'const char *' but argument is of type 'const uschar *' {aka 'const unsigned char *'}
552 | unsigned, unsigned, const char *, va_list);
| ^~~~~~~~~~~~
functions.h: In function 'exim_open2':
functions.h:1119:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1119 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_open':
functions.h:1128:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1128 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_openat':
functions.h:1137:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1137 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h:1136:9: warning: unused variable 'msg' [-Wunused-variable]
1136 | uschar *msg;
| ^~~
functions.h: In function 'exim_openat4':
functions.h:1145:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1145 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_fopen':
functions.h:1154:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1154 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_opendir':
functions.h:1163:44: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1163 | if (!is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name))
| ^~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
-------------------

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi Andreas,

which commit ID your build is based on? I'd like to reproduce it
locally.

Andreas Metzler via Exim-users <exim-users@exim.org> (So 11 Apr 2021 08:51:48 CEST):
> On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
> [...]
> > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> > allow_insecure_tainted_data = yes
> > .endif
>
> Hello,
>
> I just did a test build on the fixes branch, added the
> allow_insecure_tainted_data setting and changed the mail_spool
> transport:
> - file = /var/mail/$local_part_data
> + file = /var/mail/$local_part
>
> Success was limited though. Without the patch the message delivery is
> deferred. With the patch the message is frozen for
> "allow_insecure_tainted_data = yes" (log file excerpt below).
>
> ==> /var/log/exim4/mainlog <==
> 2021-04-11 08:26:08 1lVTXs-000F7W-0D <= ametzler@bebt.de H=localhost (argenau.bebt.de) [::1] P=esmtp S=476 id=20210411082607.058125@argenau.bebt.de
> 2021-04-11 08:26:08 1lVTXs-000F7W-0D failed to read delivery status for ametzler@localhost from delivery subprocess
>
> Debug log:
…
> 08:26:08 58130 ???(tainted)
> 08:26:08 58130 LOG: MAIN
> 08:26:08 58130 Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
> 2021-04-11 08:26:08 1lVTXs-000F7W-0D Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
…
> 08:26:08 58130 lock name: /var/mail/ametzler.lock
> 08:26:08 58130 hitch name: /var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312
> 08:26:08 58130 LOG: MAIN
> 08:26:08 58130 Warning: Tainted filename '/var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312'

> 08:26:08 58128 LOG: MAIN PANIC
> 08:26:08 58128 failed to read delivery status for ametzler@localhost from delivery subprocess

Is there any indication that the child (delivery process) crashed?

> BTW the build-log with patch is very noisy:
> -------------------
> cc -c -g -O2 -ffile-prefix-map=/dev/shm/EXIM4/exim-4.94=. -fstack-protector-strong -Wformat -Werror=format-security -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -Wdate-time -D_FORTIFY_SOURCE=2 -fvisibility=hidden -DCOMPILE_UTILITY -o util-spool_in.o spool_in.c
> In file included from exim.h:486,

I'll check that noise. Thx.

--
Heiko

Heiko Schlittermann via Exim-users <exim-users@exim.org> (So 11 Apr 2021 09:08:10 CEST):
> Hi Andreas,
>
> which commit ID your build is based on? I'd like to reproduce it
> locally.

I can reproduce it using a minimal config, going to check it now.
(The version I'm running on production systems doesn't do local
delivery.)

allow_insecure_tainted_data = yes

log_selector = +pid
acl_smtp_rcpt = accept

begin routers

accept:
driver = accept
check_local_user
transport = local

begin transports

local:
driver = appendfile
group = mail
file = /opt/exim/spool/mail/$local_part

--
Heiko

Hi Andreas,

the problem isn't caused by the new allow_insecure_tainted_data, but
these warnings trigger the issue.

We're in progress fixing it.

--
Heiko

Hi Andreas,

I believe, the issue is fixed now. I'd be happy, if you **or anybody
else** can give it a try. To avoid cluttering the official Exim repo,
this branch is still only in my private but public repositories:

https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/exim-4.94+fixes+taintwarn
https://gitea.schlittermann.de/heiko/exim/src/branch/exim-4.94+fixes+taintwarn

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

On 2021-04-24 Heiko Schlittermann <hs@schlittermann.de> wrote:
> I believe, the issue is fixed now. I'd be happy, if you **or anybody
> else** can give it a try. To avoid cluttering the official Exim repo,
> this branch is still only in my private but public repositories:
[...]

Good morning Heiko,

thank you. Will upload to Debian/experimental.

Compiler throws two new warnings:

appendfile.c: In function 'appendfile_transport_setup':
appendfile.c:238:1: warning: implicit declaration of function 'open_logs'; did you mean 'openlogs'? [-Wimplicit-function-declaration]
238 | open_logs("appendfile");
| ^~~~~~~~~
| openlogs

I guess

void
-openlogs();
+open_logs(const char *m);

is the proper fix?


log.c: In function 'set_file_path':
log.c:654:45: warning: pointer type mismatch in conditional expression
654 | uschar *ss = *log_file_path ? log_file_path : LOG_FILE_PATH;
| ^
In file included from exim.h:486,
from log.c:13:
log.c:657:31: warning: passing argument 1 of 'string_nextinlist_trc' from incompatible pointer type [-Wincompatible-pointer-types]
657 | while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
functions.h:560:25: note: in definition of macro 'string_nextinlist'
560 | string_nextinlist_trc((lp), (sp), (b), (l), US __FUNCTION__, __LINE__)
| ^~
functions.h:561:53: note: expected 'const uschar **' {aka 'const unsigned char **'} but argument is of type 'uschar **' {aka 'unsigned char **'}
561 | extern uschar *string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen,
| ~~~~~~~~~~~~~~~^~~~~~~

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2021-04-25 Andreas Metzler <eximusers@bebt.de> wrote:
> On 2021-04-24 Heiko Schlittermann <hs@schlittermann.de> wrote:
> > I believe, the issue is fixed now. I'd be happy, if you **or anybody
> > else** can give it a try. To avoid cluttering the official Exim repo,
> > this branch is still only in my private but public repositories:
> [...]

> Good morning Heiko,

> thank you. Will upload to Debian/experimental.
[...]

Hello,

I forgot to confirm that the updated patchset fixes the error I had
reported. ;-)

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Thank you for spending your time :)

Andreas Metzler via Exim-users <exim-users@exim.org> (So 25 Apr 2021 08:12:58 CEST):
> void
> -openlogs();
> +open_logs(const char *m);
> is the proper fix?

It is one possible fix. But the char* isn't used anymore (was there for
debugging). I updated the branch.

> log.c: In function 'set_file_path':
> log.c:654:45: warning: pointer type mismatch in conditional expression
> 654 | uschar *ss = *log_file_path ? log_file_path : LOG_FILE_PATH;

Same here. Fixed.

> In file included from exim.h:486,
> from log.c:13:
> log.c:657:31: warning: passing argument 1 of 'string_nextinlist_trc' from incompatible pointer type [-Wincompatible-pointer-types]
> 657 | while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
> functions.h:560:25: note: in definition of macro 'string_nextinlist'
> 560 | string_nextinlist_trc((lp), (sp), (b), (l), US __FUNCTION__, __LINE__)

ditto.
And finally I set my compiler options to be about the same as yours.

--
Heiko

On Tue, 6 Apr 2021, Heiko Schlittermann via Exim-users wrote:

> "ALLOW_INSECURE_TAINTED_DATA", currently enabled. Using this build time
> option provides a new runtime option "allow_insecure_tainted_data", which
> turns taint errors into warnings (and spams your log file).

[...]

> Currently I'm running this on a production systems without any issues so
> far. You're invited to do tests in your systems too.

Trying this version, with allow_insecure_tainted_data set, then this:

testlist:
driver = redirect
data = :include:/some/where/${local_part}

fails with error:

LOG: MAIN PANIC DIE
Taint mismatch, Ustrncpy: parse_forward_list 1393

It looks like the :include: might be the issue.

Not a problem here as I've now detainted this, but thought to report back.

Cheers

Chris

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris Edwards via Exim-users <exim-users@exim.org> (Sa 08 Mai 2021 13:15:45 CEST):
> On Tue, 6 Apr 2021, Heiko Schlittermann via Exim-users wrote:
>
> > Currently I'm running this on a production systems without any issues so
> > far. You're invited to do tests in your systems too.
>
> Trying this version, with allow_insecure_tainted_data set, then this:
>
> testlist:
> driver = redirect
> data = :include:/some/where/${local_part}
>
> fails with error:
>
> LOG: MAIN PANIC DIE
> Taint mismatch, Ustrncpy: parse_forward_list 1393
>
> It looks like the :include: might be the issue.
>
> Not a problem here as I've now detainted this, but thought to report back.

Thanks, I'll try to reproduce it, and fix it.

--
Heiko