Your message dated Sat, 06 Mar 2021 17:03:25 +0000
with message-id <e1liakr-000efr...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-vimos 4.1.1+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation
in maintainer script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The maintainer script of cpl-plugin-amber-calib has this code:
https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
| wget -O- ${URL} | \
| tar xzO ${TAR} | \
| tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1
The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.
I guess that this is not the only cpl plugin affected by this kind of
vulnerability.
Helmut
--- End Message ---
--- Begin Message ---
Source: cpl-plugin-vimos
Source-Version: 4.1.1+dfsg-3
Done: Ole Streicher <oleb...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cpl-plugin-vimos, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-vimos
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Mar 2021 17:37:41 +0100
Source: cpl-plugin-vimos
Architecture: source
Version: 4.1.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
cpl-plugin-vimos (4.1.1+dfsg-3) unstable; urgency=medium
.
* Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
f46f6a0bf8f814018d8887d2274cd3a5099acf4c 2447 cpl-plugin-vimos_4.1.1+dfsg-3.dsc
649c3f1cb39c2f0e73fc3aa85ee28515929d1815 11584
cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz
Checksums-Sha256:
4a0d09a34c15ca7b770390d9d8989358e8f9d39c162aecc1ea0aa018088e7a36 2447
cpl-plugin-vimos_4.1.1+dfsg-3.dsc
ce5c84f7adb1663f89dfb6d4d5722d17c50606fb9d1a9eca84337777ce44dfcf 11584
cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz
Files:
215a36194620fcc90196dbfae6b153e2 2447 science optional
cpl-plugin-vimos_4.1.1+dfsg-3.dsc
ef51c6c5b4ccb07b4d1bc97a9282d1cf 11584 science optional
cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDsKYACgkQcRWv0HcQ
3PdGphAA0Tc/XpGYz2PFIgZwTpd+CwhQBoralAS2kJmNbkk4sAfjmXKpLqyc/7dp
YyXYaqmS3cyej0SuvkrVW9XysxMtxObweM262oQ6kcRmhT1GoJUxaE51SL9ei9Ty
k89KH6d+aiqhVFJ2FIZEa1CFVbXGmrtawp6gvPmaqIxNgjhkO+UQONO/aV61enzA
2IpaAdbUGEkfGDhPxRr5ii0W8I7GbTLxtpvmMGpOFqbAVM8REz3D8g19H0QWKqLp
CEYBt2No/WMWGWGJptevM3xLccC3IIyt9QxJ9hB1FHRoxKRPRuSrD5Ht+/HTaZdl
fzlito8jPgjXgZqH5a53dxCPbz5LvDaKU4wbDKQgngQk5tngZVMf7fkVg88WzxxS
3cgs774PSojR/aQPz9veiru1WuUVEqiO4YMDpvuK0KHNOuXCQ0+ADwyecHFDuFvo
ubXxKroAmTiv2a/b51p5NKQQfd8/0Y8+2/ZES7wHIzt/3vxL9GKvHnexTmuNCIax
F9N5nKcEb3WLPBLg6a3Sd9eg/0DPc/hD4QHNJKaVqBfV0v8jTphL6jNDoTIO2o1N
9FQTvwodhPq8unehaT1NDqgsNYxUaR0OphYMt9/W7eZp4XBpzkeLeUNy+SyMH/DC
vLndXaVHu7u9OCsrBCvEGmDyZ/qyZb6tJCgzs+zlhBv7dAUEKKY=
=wv25
-----END PGP SIGNATURE-----
--- End Message ---
