Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

[Debian Bug Tracking System]

Your message dated Sat, 06 Mar 2021 15:18:48 +0000
with message-id <e1liyhc-0001ou...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-giraf 2.16.7+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---

--- Begin Message ---

Source: cpl-plugin-giraf
Source-Version: 2.16.7+dfsg-3
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-giraf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-giraf 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 15:52:22 +0100
Source: cpl-plugin-giraf
Architecture: source
Version: 2.16.7+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-giraf (2.16.7+dfsg-3) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 c171cad390cd7a3c28d5f036a49e1eec338caafa 2452 
cpl-plugin-giraf_2.16.7+dfsg-3.dsc
 30e68a33cd1819f64d53364080638d2977745d3f 9900 
cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz
Checksums-Sha256:
 f76eab6e5985ed2d622586632ffac19657ca25894161f1beecee18f93919ec9c 2452 
cpl-plugin-giraf_2.16.7+dfsg-3.dsc
 3d4c9cf22d503445012b2cb60f239f06102e3dfcc6fd66ada4285cdb980f26b0 9900 
cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz
Files:
 99ed9cec1c25c01a779d597c0fc533d0 2452 science optional 
cpl-plugin-giraf_2.16.7+dfsg-3.dsc
 8490b3d04a20aba5d129d78624074cda 9900 science optional 
cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDmQYACgkQcRWv0HcQ
3Pextg/+O0WMhdqVghSaled6Gd7NqN45E2mBKQoeOX4YSO0wiytmp4cw8GVKu2yT
hrW1OA1uwOJADQZMbgLe4yeoItSOx6LVC6zQB17nSc+ifjkAqFWM4iSdIOmBGgdW
PywMXXBXDb+3KYGcWpNRBi++c0pimUTR72JOlrDU1wERYD4mayZhHy9SYW6iKjaK
2xNJcRQIk5Fo8LjHkVjnjtbVcUHW5plJo5IbJDY9PMPBSRN6O2d18PYB5H/slgXi
d6IMHB94lRQtpSpDCNRWYfEZfCbB77VsFAfYKxOtkkS0Wt6BtQLhXbDWFwNDCmyx
4GeLvNlksfFcVA3MuEC9HsoJZWy2ECWpK8xuilOLuILFbPHdQ138GdPm7ug49RmW
O5Fv3AQmrXo/SkiEdVvkG7SgQ49ZED0msKKOwieLeAc14cituv2QX+p4k4L3396/
mx7P1JJcNO6kOJzr2VSGSxbwXl9f/0r5ZGJ9dGahLfh+AGYfgTwgIM4OwjYB3tJe
qCIFWApUNVjRA4U8dXU1VOx9wbhF0xIyaVgNlC8mCdqO9WzyKPRgJNO+1bPoF/Go
q1xl9aJ7DaaiZVXNLeNC13vh9v7uh8P/p5cT/gzXI8dFlvejWXeNrwsfOVJDMNbm
b31mFiOyXGXMBptgSEjD0f6zhshg4sCxQ2EctSfxyz2vFZJw5+w=
=1PMk
-----END PGP SIGNATURE-----

--- End Message ---