Your message dated Tue, 09 Mar 2021 01:00:09 +0000
with message-id <e1ljqjj-0006wv...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-hawki 2.4.8+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation
in maintainer script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The maintainer script of cpl-plugin-amber-calib has this code:
https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
| wget -O- ${URL} | \
| tar xzO ${TAR} | \
| tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1
The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.
I guess that this is not the only cpl plugin affected by this kind of
vulnerability.
Helmut
--- End Message ---
--- Begin Message ---
Source: cpl-plugin-hawki
Source-Version: 2.4.8+dfsg-3
Done: Ole Streicher <oleb...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cpl-plugin-hawki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-hawki
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Mar 2021 16:10:11 +0100
Source: cpl-plugin-hawki
Binary: cpl-plugin-hawki cpl-plugin-hawki-calib cpl-plugin-hawki-dbgsym
cpl-plugin-hawki-doc
Architecture: source all amd64
Version: 2.4.8+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Description:
cpl-plugin-hawki - ESO data reduction pipeline for the HAWK-I instrument
cpl-plugin-hawki-calib - ESO data reduction pipeline calibration data
downloader for HAWK-
cpl-plugin-hawki-doc - ESO data reduction pipeline documentation for HAWK-I
Closes: 984456 984508
Changes:
cpl-plugin-hawki (2.4.8+dfsg-3) unstable; urgency=medium
.
* Move calib downloader package to contrib (Closes: #984456)
* Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
6cd2cb084d560764c0299fb93e360e9ce41f24fd 2444 cpl-plugin-hawki_2.4.8+dfsg-3.dsc
4b3fd590f5e2742f48ae07672fe94359f1a86122 10340
cpl-plugin-hawki_2.4.8+dfsg-3.debian.tar.xz
78a4061e06e7a7df7f25e446d59b28268e0d84ac 50420
cpl-plugin-hawki-calib_2.4.8+dfsg-3_all.deb
db5b61343f261adc3414c0f56cbdf93a56cbd357 1133428
cpl-plugin-hawki-dbgsym_2.4.8+dfsg-3_amd64.deb
242c32cb053df5d17b222d9d681a3ce5eccf4865 138688
cpl-plugin-hawki-doc_2.4.8+dfsg-3_all.deb
6e1d83d364efe23cdad3ef92e959ed20813d1adb 11659
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.buildinfo
252a99c21e2e1468a4c05d136e82555e42d26824 490520
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.deb
Checksums-Sha256:
00d4a77d2d703730e531c6cae533c7116551cba6254f0df1af4fbd4c7ed23c1f 2444
cpl-plugin-hawki_2.4.8+dfsg-3.dsc
90467e3a8d816788b99fa819fdbc3e84d13985e6056b5402a9f2149a08eb3441 10340
cpl-plugin-hawki_2.4.8+dfsg-3.debian.tar.xz
e60bea3ce4c7d9ac530e5c09304a88af10a5a82e9ae0b8c190d951bcd9c91768 50420
cpl-plugin-hawki-calib_2.4.8+dfsg-3_all.deb
23b71600378ad99f3caf30d99f16652e000c109609bc4633864b00ded975c8ee 1133428
cpl-plugin-hawki-dbgsym_2.4.8+dfsg-3_amd64.deb
f9fd15bcceb529fad7b13a2f0de19af42e7b1407e812c1a6ac995cfd46dafa26 138688
cpl-plugin-hawki-doc_2.4.8+dfsg-3_all.deb
0a0ac2329b7a7c38a73780fc7b53114d818ae6068c1d3c4cb8bbdf3ae210d5d5 11659
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.buildinfo
a66ade855949783263005bf5d18d24e4ea7b4be6ec10e1576ee34b95cafe55d2 490520
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.deb
Files:
f8e853c09f448810a132b9b0b6d4d57f 2444 science optional
cpl-plugin-hawki_2.4.8+dfsg-3.dsc
bf8d75650b0b5b42d1957cd65b2e845b 10340 science optional
cpl-plugin-hawki_2.4.8+dfsg-3.debian.tar.xz
fc9da9fd563b8454063692edaf437c4e 50420 contrib/science optional
cpl-plugin-hawki-calib_2.4.8+dfsg-3_all.deb
6fc7101e82b0992ca9a76b8cba912136 1133428 debug optional
cpl-plugin-hawki-dbgsym_2.4.8+dfsg-3_amd64.deb
155cf6c3cdfc727352416ef76a6d5670 138688 doc optional
cpl-plugin-hawki-doc_2.4.8+dfsg-3_all.deb
bfc314b3ee5782dd80a2e722d72c3006 11659 science optional
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.buildinfo
0cb462ebcb39f50db03b8a5f33af0337 490520 science optional
cpl-plugin-hawki_2.4.8+dfsg-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDqREACgkQcRWv0HcQ
3Pem+Q/+MaZl3yQnEVcOUFepRbBfCz1gNZodqxeXZ4bnZUeHS+0swvsUcZYyGwQB
M1XGZ1W8SMB5q5OWgMYDXnD1ubdyyir24V2287qgGCJSe/dNpMRS0lfIVNlLzlNV
roILdPA6DHP9NLw5mjrK31oXiT27rDiRmo36wfrj2AKaCqUrnWl+WzBRMdsLUU1f
3FqpJG1ujIROrNT3ejAs9Qf4zUlL1Sj3sK0lU60fBAVTTyZbg/ccqVF9C2LlnDO1
0kGgEIapJuhKc6HpvW4wBATz5Pv3woFTJvYIAXR2OBcTQne9JQakSt+HmN3YYmX5
ADuoKL16dCSqBh/pdVLN6czdrYLlxGrF1OxbR14m/Ui4540p+mjclzKv75pYlxFF
MedLEmD6LZuXwbUAkYJ+nw2zDUtLlbHDylS1txRqRumwSmk7wpd1Yh+MJxmoXQQf
s879R7O7zdTXPhOjOD+hRFU4VkAu010skdeXA0mbZDG9yGCh0sET/CPpT701nNNT
Mm1omZPQtnGgfOcNM2qkUDHTg8lfhEVFDIZGys5KWMmakLLf4HpesBiLPjnpb/Tg
r6yA8Rwa5u8N/xqL0D67h6j782HRHAIYueLPjqqdpUkOiTLUF+lR8aHX9QF+c0pn
gl/o0W+l8kMQAYeJ+YvazDCadUN4W4bkP9gxIS1F2Nc2kNWw6aU=
=drYY
-----END PGP SIGNATURE-----
--- End Message ---
