Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

Sat, 06 Mar 2021 08:51:18 -0800 

Your message dated Sat, 06 Mar 2021 16:48:55 +0000
with message-id <e1lia6p-000crp...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-uves 6.1.3+dfsg-4
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---
--- Begin Message --- 
Source: cpl-plugin-uves
Source-Version: 6.1.3+dfsg-4
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-uves, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-uves package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 17:30:58 +0100
Source: cpl-plugin-uves
Architecture: source
Version: 6.1.3+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-uves (6.1.3+dfsg-4) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 3dba13f0b3c22a2c8b66279a498f024f574a0bf5 2449 cpl-plugin-uves_6.1.3+dfsg-4.dsc
 ecf221c0ea408fab91e1282ac311940ad60f63e7 11552 
cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz
Checksums-Sha256:
 363850e1a4dc73bc06c4143e1cde2d6e6a2a28a0d5d6810118f645c4477c88cb 2449 
cpl-plugin-uves_6.1.3+dfsg-4.dsc
 b27cc5d1fb40d1667da1a7ee9656fa31dd899ec3a7919939ccccd11036e93409 11552 
cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz
Files:
 45479452915899fef8ea463f578ce1ec 2449 science optional 
cpl-plugin-uves_6.1.3+dfsg-4.dsc
 f04f170580346286e8be7f070cdadc6d 11552 science optional 
cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDrxIACgkQcRWv0HcQ
3Pf7RRAApPUF2CE7ax1B3vdLIs699gq3415rpP2+XBVUUEIlpbtqkcBBeJ0hra+O
hy4VvWKNFzNIi4ndnCYNU5oV5m9qGtafYmknPltXMO+b3//jiy/Aaltzi/+0Lul9
z/u5drCvSF5qi6liwMqogd0Pe8E6JdHCvRSnXhW50rfTt0bDHtoNg+qpzfjmBRmA
3w2sq5a81Cn4D7FRWZEvKvSMHCbnp/8Wu+tJoAVcFrb7Gl+SK47pUc1hs+Hw7hzH
SfNKRu2Wlq9Wt20oQzTGi5+Iv3e2zRaJxfGRO0krSTc85XNNh25NO3rXdK8l4W+W
a36ER+cvH7/aJmADeXgXLo+UP9C+oClmOQLN1L922Fg3I+y+D9sDH474yM5Io+VC
dVwVFqikHK+u4GVvr424PSTF3Dvd7P2PxXYvqA7h69T5I77y/Fi+UhMxXBG32sYT
7pTIyAQpGCwmnf5CBjPGQ91923JmVN9iv6UoITLA3CXui0jBmFBs5KXytetBVr2r
/qWRn42hpbeXApIy7DssmlpU9xTjIDokK8Zo0xpBj7c7eF2AfoXdVdJPoyBTV+Ey
Z3sw/iLziNchKK1uhdzsdr6W9CTPY1otdiOztKa9r6meWfYbA0i2DhXCgwm7J+3J
KTxFvHeusPHyJktLD19CMLuB0Lt3dqFJH+poDZ5NMEu7r75soks=
=J6Kd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to