CVE-2015-8768
Published: 13 February 2017
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
Notes
| Author | Note |
|---|---|
| jdstrand | app can ship a crafted .click directory that can be used to trick click into installing unintended security policy snappy not affected per me and mvo patch from cjwatson, but not committed to bzr yet updates also needed for vivid stable-phone-overlay and wily stable-phone-overlay. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
click Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Released
(0.4.21.1ubuntu0.2)
|
|
| upstream |
Released
(0.4.41)
|
|
| vivid |
Released
(0.4.38.5ubuntu0.2)
|
|
|
Patches: upstream: https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |