Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

[Debian Bug Tracking System]

Your message dated Sat, 06 Mar 2021 16:18:39 +0000
with message-id <e1lizdx-0008pu...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-muse 2.8.3+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---

--- Begin Message ---

Source: cpl-plugin-muse
Source-Version: 2.8.3+dfsg-3
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-muse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-muse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 16:36:30 +0100
Source: cpl-plugin-muse
Architecture: source
Version: 2.8.3+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astro Team <debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-muse (2.8.3+dfsg-3) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 b0d93c78b57a0c84468bc844414816e116030ba1 2396 cpl-plugin-muse_2.8.3+dfsg-3.dsc
 008388663f8b74ca5e9ddaad3c89272c7486e231 14040 
cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz
Checksums-Sha256:
 dcc326c16c1845aae35072930f07d04a66769bf9631fbbc69703f33c80199f01 2396 
cpl-plugin-muse_2.8.3+dfsg-3.dsc
 ea55d2572389935289fe78dc816151c27c6c869ec5f22c2b984e92fb5f05dc41 14040 
cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz
Files:
 52c8d783655b0d3f7a9efd50f6be8208 2396 science optional 
cpl-plugin-muse_2.8.3+dfsg-3.dsc
 d0a8f43b3c52e031b4c6f6744d9b302a 14040 science optional 
cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDqMMACgkQcRWv0HcQ
3PdQHhAA09YUZfsLMb9mc/taMs4/mGu194bDLaKSpDktu+d/e5uWbtrTQYTRISap
v8qRXfV8zKFXOsMTjzw7osWeTHt+63GHBFb+4M7noyjsaUSRkcnh+X2sDvwha9nm
IE56z7Vkeib6qd6H8Lk2jHKp1kXrbuPvoOXGqQ9b1IxUi6/54mVUqvgzPRL/VD3l
PABQ6rNh44b6ZcVJDmnhEzS7U7QB13uh+Ez4lJs7ArkmvxHHfFShF6eaTLn/3/JD
1teu7Pjf6BmCemWfYT1LnXjooSc9YJys0sFbE/2dZD21B/GAD2vHX0v4BSYD15le
y+TgoQ+baQZlwmRG1JhkYpnrLIyiLxrh2IdsBLRkrEY8WJILmHk5WSfGady3xZQn
K9U7MVRzA5kXsrF+a+pGcKqHEhflbKTmuNP3lbpvZ13TXCQwlwqOWcV2njSfAJSW
n6QUORJX2NdGLf2HfbMfLZgNvqKpCzDmEwFQeP10ApLippDJ6UOvQ/YhUOnQq8Kl
6I2YioJJnY90oUIepnWSIJQwVKzKCNRd4YaCayB9mjGz38GVAjXmEtnbr1Fz1YrX
8yJamU5clrVvXFVLiO7VMiFB+P17PpoM5VmuL/kgxyK5XZUJmPZxQ0A0yzJXDdrV
+yzxFWDkhiZBSalMhGUuj+DdZ2Dm1hPUNQH1XgvI73Ul6cEFIvg=
=EZry
-----END PGP SIGNATURE-----

--- End Message ---