click install does not ignore shipped files without leading './'

Bug #1506467 reported by Jamie Strandboge on 2015-10-15
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Critical
Unassigned
click (Ubuntu)
Critical
Colin Watson
Trusty
Critical
Jamie Strandboge
Vivid
Critical
Jamie Strandboge
Wily
Critical
Colin Watson

Bug Description

The click install process does not filter out all illegitimate paths during the install process. For example, an app can ship '.click' in data.tar.gz which interferes with package installs. './.click/' is correctly filtered.

Related branches

CVE References

Colin Watson (cjwatson) on 2015-10-15
Changed in click (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Critical
status: New → Triaged
status: Triaged → In Progress
summary: - click install does not ignore shipped files wihout './'
+ click install does not ignore shipped files without leading './'
information type: Private Security → Public Security
Changed in click (Ubuntu Trusty):
status: New → In Progress
Changed in click (Ubuntu Vivid):
status: New → In Progress
Changed in click (Ubuntu Trusty):
importance: Undecided → Critical
Changed in click (Ubuntu Vivid):
importance: Undecided → Critical
Changed in click (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in click (Ubuntu Vivid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in canonical-devices-system-image:
importance: Undecided → Critical
milestone: none → ww40-2015
status: New → In Progress
tags: added: hotfix
Changed in click (Ubuntu Wily):
status: In Progress → Fix Committed
Changed in click (Ubuntu Vivid):
status: In Progress → Fix Committed
Changed in click (Ubuntu Trusty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.39.1+15.10.20150702-0ubuntu2

---------------
click (0.4.39.1+15.10.20150702-0ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 09:16:17 -0500

Changed in click (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.21.1ubuntu0.2

---------------
click (0.4.21.1ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Based on patch from Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 10:05:35 -0500

Changed in click (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.38.5ubuntu0.2

---------------
click (0.4.38.5ubuntu0.2) vivid-security; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 10:00:20 -0500

Changed in click (Ubuntu Vivid):
status: Fix Committed → Fix Released
Changed in canonical-devices-system-image:
status: In Progress → Fix Committed
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

This was assigned CVE-2015-8768, see http://www.openwall.com/lists/oss-security/2016/01/12/8

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers