Launchpad.net

CVE 2015-8768

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.

Related bugs and status

CVE-2015-8768 (Candidate) is related to these bugs:

Bug #1506467: click install does not ignore shipped files without leading './'

		In	Importance	Status
1506467	click install does not ignore shipped files without leading './'	click (Ubuntu)	Critical	Fix Released
1506467	click install does not ignore shipped files without leading './'	click (Ubuntu Trusty)	Critical	Fix Released
1506467	click install does not ignore shipped files without leading './'	click (Ubuntu Wily)	Critical	Fix Released
1506467	click install does not ignore shipped files without leading './'	click (Ubuntu Vivid)	Critical	Fix Released
1506467	click install does not ignore shipped files without leading './'	Canonical System Image	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-8768

Related bugs and status

Related bugs

References