Your message dated Sat, 06 Mar 2021 14:48:26 +0000
with message-id <e1liyee-000hiy...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-amber 4.4.0+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation
in maintainer script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The maintainer script of cpl-plugin-amber-calib has this code:
https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
| wget -O- ${URL} | \
| tar xzO ${TAR} | \
| tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1
The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.
I guess that this is not the only cpl plugin affected by this kind of
vulnerability.
Helmut
--- End Message ---
--- Begin Message ---
Source: cpl-plugin-amber
Source-Version: 4.4.0+dfsg-3
Done: Ole Streicher <oleb...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cpl-plugin-amber, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-amber
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Mar 2021 18:09:00 +0100
Source: cpl-plugin-amber
Architecture: source
Version: 4.4.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
cpl-plugin-amber (4.4.0+dfsg-3) unstable; urgency=medium
.
* Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
6d2653ab391ec14b8f053d8f3633637784f73f72 2443 cpl-plugin-amber_4.4.0+dfsg-3.dsc
5c9bfb4b4c7d4713e7fee7490648f26e5220c283 9704
cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz
Checksums-Sha256:
602c0fc8298cc7e4b6c4a86adf696a4dc562eead4d34fef76eeb8741e210a4b2 2443
cpl-plugin-amber_4.4.0+dfsg-3.dsc
29855133907fdf4b799e6974f392d592c3f622085d18ef37dbad02132617b03f 9704
cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz
Files:
fa5d7b8a00a284f3415964db09a81f37 2443 science optional
cpl-plugin-amber_4.4.0+dfsg-3.dsc
f3b4b723c6fd6218b943da5b8bb61fb6 9704 science optional
cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDkTkACgkQcRWv0HcQ
3PdighAAxle5sDSEnEgwWhbWtxbeVYWgeX9CThHE8aMcSQ0m903NgF1NTG3gI1cH
4HxNAmnTO8YW9bX/eAo6XA8ZB2BkaMvVM2Js3yqSZNs+jRCPdql7jm/0BdINUqoW
ne8KJgXUjESphFejppgAHJBZPeWCHSJxo83OrlXbeTOfJ0sHVib8juDQlFfWxEpT
9iq1EpNFmrai8xOW5vLZtX7C+c4Rzz4gYoCzW/0r25lF6poioYt9N05N6VlC4Idj
PzyCPdbBL0xt+GcExpvAG9A+z5283V7ZOoWZUN80Y5doUJFl4sj2GZDyecgb91sA
LP7mzyriVKmx21WXzEqvZOAwMz4aC11V47469yE9wFaKS+AE+7DhY37vJwywHdLR
2rL7LpQqRejXltCrjk4cFHFZGgI0LTgBoo5H6DS+wjarlVBGmEDBCp7wp9HH6aa1
g+bvMUfttxnh+jBFVdCmjfBljMTfj3iv1wTNk8E2eVKR6IIlIPWiD6Oo5/4gpno4
2DuLRp0bDdMJBfjDe2crS5Xt0GiLX7a9uayXzkrqKlBVsZEn4rpoQPB5iYAKGMLk
i03l3Wburatw7XiDh50LNO/gqqVBsj+uOD24eAQzgoTWOFDZe/TyUUSD+vjP0TZa
c8G7EvLiMcaKDa1KuBkzzrIH5Az5CqqKbO6D4ZmIW/gdfU4pGG0=
=uj4E
-----END PGP SIGNATURE-----
--- End Message ---
