CVE-2015-8768 (retired)

Priority
Description
click/install.py in click does not require files in package filesystem
tarballs to start with ./ (dot slash), which allows remote attackers to
install an alternate security policy and gain privileges via a crafted
package, as demonstrated by the test.mmrow app for Ubuntu phone.
Notes
 jdstrand> app can ship a crafted .click directory that can be used to trick
  click into installing unintended security policy
 jdstrand> snappy not affected per me and mvo
 jdstrand> patch from cjwatson, but not committed to bzr yet
 jdstrand> updates also needed for vivid stable-phone-overlay and wily
  stable-phone-overlay.
Assigned-to
jdstrand
Package
Source: click (LP Ubuntu Debian)
Upstream:released (0.4.41)
Ubuntu 14.04 LTS (Trusty Tahr):released (0.4.21.1ubuntu0.2)
Patches:
Upstream:https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554
More Information

Updated: 2019-03-26 12:17:40 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)