Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team <[email protected]>
The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut
