Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

Sat, 06 Mar 2021 10:36:15 -0800 

Your message dated Sat, 06 Mar 2021 18:33:25 +0000
with message-id <e1libjx-0007uo...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-visir 4.3.10+dfsg-4
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---
--- Begin Message --- 
Source: cpl-plugin-visir
Source-Version: 4.3.10+dfsg-4
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-visir, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-visir 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 17:44:01 +0100
Source: cpl-plugin-visir
Architecture: source
Version: 4.3.10+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Team 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-visir (4.3.10+dfsg-4) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 8c0bcd074368dcb2e68c1d01a3a25bdc07ff8075 2423 
cpl-plugin-visir_4.3.10+dfsg-4.dsc
 bfd4e622a7ec10ff1b71fd0036085fda79bb7736 12180 
cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz
Checksums-Sha256:
 99af2707a3e5557c0f224dbee0fddb73bd1b5f66580f4793a26426ba706c0b76 2423 
cpl-plugin-visir_4.3.10+dfsg-4.dsc
 56e8d7d17a52ec4953b9431209c6cd9977baa868602a501683e7fc71e5bfb1b0 12180 
cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz
Files:
 6615482b535cc2cea56c72c574bbfbfc 2423 science optional 
cpl-plugin-visir_4.3.10+dfsg-4.dsc
 4248ce1a0dfb29a205113d98853326ad 12180 science optional 
cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDyO8ACgkQcRWv0HcQ
3PdhvQ/5AcUfX2fhjO3FsYTCN0IlK8nYFgkluDCT5sRtelqneYsY3WfgAb9MGqLC
J1RFyYhnwLfxRa7t9PjoLGyzNX12gbTk3gf1LPFRvxRd7t4fxb5ZF4CYv32w17Q9
Q7zmhnyxmEkc2E9d7cAVhcuG7N6UgOOXI8cwocQEapZ9rOGYnYJyh0MyBDmNq9i3
KujO6hQlshNRAwGereEt943HCZU+ptvwhu3jaGv9Ls6eENyFNS3ICMTGSoC8yEbg
WrLpKOkceoyzXn/JGc0XCjyBkHUdhpcGIa22Nsiqq5UwmtDAAD1mo/3kr9Fsz391
LNHRDO2yYqkNONuUl0YbWpN2qqEuCe6IFulX4yGhPwm0KX8C54pExyvTuC3N2Xqn
tT1N+RvseT9LBJgw0P51O91aC41pSAeQ0LCMYkPqrFTqNnEgQgQXetdFCNNvgbET
rvlhCbLcVgW9DDQOcWSRLdI3zhOgg2CM434CBpFCYxkTOypNAUaiv0j6ZVEE18dV
SnXUPFPhzexHA81cIGYMNE5XDE+v0RvVqR6roP2h9Lodfj/VamhqYfLB/PigJrcx
TDgN3FNDsD6knZtR68gCoqSY6yuJgH8Rln2pyXYSIc480ENENPBRwVhBxMWA992Q
ajC7G6tkZRk+pugehaFroJ10TZqcoXNN1XpdANcMhWhVOu9Zymo=
=GS/a
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to