Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

Sat, 06 Mar 2021 07:21:17 -0800 

Your message dated Sat, 06 Mar 2021 15:18:43 +0000
with message-id <e1liyhx-0001jw...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-fors 5.5.6+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---
--- Begin Message --- 
Source: cpl-plugin-fors
Source-Version: 5.5.6+dfsg-3
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-fors, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-fors package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 15:33:07 +0100
Source: cpl-plugin-fors
Architecture: source
Version: 5.5.6+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-fors (5.5.6+dfsg-3) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 1e096abd0736b8fec2141e44ac8d94ce9c192393 2431 cpl-plugin-fors_5.5.6+dfsg-3.dsc
 4d6619465354de5af56cb9bbffe4a6bf3773953b 13112 
cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz
Checksums-Sha256:
 4d42fe53fb08a2967787fc92d5e84435c50c6fa560abe8196b7a53dbac5a4ff6 2431 
cpl-plugin-fors_5.5.6+dfsg-3.dsc
 d41a05ebf19d897fdd081381e3c08e6caebf473ee58be269ffb93e11f68e8c85 13112 
cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz
Files:
 7be11fe20ac3e9b7e6a9a32bd71b4f66 2431 science optional 
cpl-plugin-fors_5.5.6+dfsg-3.dsc
 f884a82f9b3aead35d9c76eac9597e2f 13112 science optional 
cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDk3cACgkQcRWv0HcQ
3PcgrxAAso68wQtOzsWEdsZLsxUmyuxBxqKh9Cl/fwedoxXn4pV97ZcDcoz/FiCF
JDEP5NflVIzps5M+jhg/NQgk4+ff0bVdwytWlHaDEu/juabKluRsKdgehlrqsl0w
MeMBHk8boX7AfkfqhN9m/j6w+2NC9Wd6NkWBISTh5MOTixXJb724VUwP2uTQOV0c
Foilv7wO4+BwCBUR7iBS3t3bbsyh4xJaxCIICT0E9BBAmgN1jXUGk8oaK17vZ1RS
g1is8ziSegwb2ZkdvHjxSTg3W2J9UncMr9q0bMWFGZDBgAWXNrc7IU1vJxpolFHT
ikhOJ1ZfGLYKvVz0keQ9kzYLKiTH/rUkMJGBawaEix/OgXIARXPDj9HTAoVa2AIw
cSQAI1BX/uw4R7RLnbrn62anN2wVm3jumS/eS+No01xNQBh3R3OORVQwZ6/SaqGI
19kgqqJi+b/fEU3HVbBpb264mk80FKjUdpJxleJvRyWwg19f1GNk569eA4UvCGun
jGVUATK8dwL+WB+bLESlms5FyT/b2/tbeWs9TQr5sJLIKHpoUKSe6dWJGbTpbRsT
5tWDjXHAlPQb2NYZ9DzpfST1bTIf3/9WYMwF+edzTLNvC1IvP6uqbfO+Dridh2tR
Y7cA8/g5mdd5dAhDcwix9SWGI6olWI0qj8smjKwQc7gyMuBJ+ys=
=Dnkp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to