[Debian-astro-maintainers] Bug#984508: cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script

Helmut Grohne helmut at subdivi.de
Thu Mar 4 12:21:41 GMT 2021


Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
| 	wget -O- ${URL} | \
| 	    tar xzO ${TAR} | \
| 	    tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut



More information about the Debian-astro-maintainers mailing list