Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

Sat, 06 Mar 2021 09:06:15 -0800 

Your message dated Sat, 06 Mar 2021 17:03:30 +0000
with message-id <e1liakw-000eg1...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-xshoo 3.5.0+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---
--- Begin Message --- 
Source: cpl-plugin-xshoo
Source-Version: 3.5.0+dfsg-3
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-xshoo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-xshoo 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 17:49:45 +0100
Source: cpl-plugin-xshoo
Architecture: source
Version: 3.5.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-xshoo (3.5.0+dfsg-3) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 8ca070fc0b0117f6dba73b16e5779f169bec4d7c 2439 cpl-plugin-xshoo_3.5.0+dfsg-3.dsc
 b9c7eed80e6b4a5a2fc85460e9f359216854819f 11544 
cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz
Checksums-Sha256:
 ef9a64d41826e2721008d380796a44fb6d17b13d81bccb66eee48c577989459e 2439 
cpl-plugin-xshoo_3.5.0+dfsg-3.dsc
 0ef139b847f7cb998047479c7690f0f387ba5e45bfa01ae988702d9660fd259e 11544 
cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz
Files:
 fba482836a203bb7aa5d9d2fe233de20 2439 science optional 
cpl-plugin-xshoo_3.5.0+dfsg-3.dsc
 1b4a59b6723de4498af97b17be8dfbe2 11544 science optional 
cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDs44ACgkQcRWv0HcQ
3PeHYBAArjuttZJZ6gNhDKFStsvAdSJeHBlY1LmfwdExHJNuySSw3DSqy2zZoaxi
L/xKLRWdODvVZ1aSqOsxKJqnPibQRbk3B47iX2zigTHyo1eMtau9Lgy7j4EP7FEh
mFi4Ou3hjHxyJl2Lb3AnF/FOoen3wlxpurhwW9ZzfQ+/ZFau1suhflw9BQfTZAou
GGxUHHya7ZB8G2AKR6/mb3T7EU2ym6OIp4HqR+VV5/U3v74buNvb0j/qWph5mtfj
DyjtQhG8JIaNAMs3gdwMV9Bi/ophX9sDojXL3Jn4fYB/OwEZe5kLA46BBEHgzsiM
Iqnq8GefLVpW0fMWOjb52xS1JZYooPp7nztP4RVxygiGz/bbFwT5nr/48/Hu36H3
4vmBDpf4d+kQsUDeL/5lVdGhbwmp1vLC2nMuP2NPL2EFYZ8fDv/TjoaR4YbSFMJV
KQzZyyYqj+qFW6ZaAWVgFco0M/fhPVQeecvyariKjXcGQrm/ks616VwMmrgs2S5K
07PyM86xGeNSCWYOR6QSwW1STh631h/oWHK5snMzuQQ3L2pKFvlvTPc2jmVvwKLe
mY/QJfd8sShMolkOLBA2xzigfW4kcWSctgA50ZnqugdB+3bI1PmYL8lu+k0LjEoa
rjuVLbsPaSXhuj7zvn9c96fGaXfV68D+Mct9t4hEoJgSnNuddUI=
=2Mr5
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to