[Debian-astro-maintainers] Bug#984508: cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script
Helmut Grohne
helmut at subdivi.de
Thu Mar 4 12:21:41 GMT 2021
Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
The maintainer script of cpl-plugin-amber-calib has this code:
https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
| wget -O- ${URL} | \
| tar xzO ${TAR} | \
| tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1
The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.
I guess that this is not the only cpl plugin affected by this kind of
vulnerability.
Helmut
More information about the Debian-astro-maintainers
mailing list