click install does not ignore shipped files without leading './'
Bug #1506467 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
Critical
|
Unassigned | ||
click (Ubuntu) |
Fix Released
|
Critical
|
Colin Watson | ||
Trusty |
Fix Released
|
Critical
|
Jamie Strandboge | ||
Vivid |
Fix Released
|
Critical
|
Jamie Strandboge | ||
Wily |
Fix Released
|
Critical
|
Colin Watson |
Bug Description
The click install process does not filter out all illegitimate paths during the install process. For example, an app can ship '.click' in data.tar.gz which interferes with package installs. './.click/' is correctly filtered.
Related branches
lp:~cjwatson/click/audit-missing-dot-slash
- Michael Vogt: Approve
-
Diff: 125 lines (+60/-1)3 files modifiedclick/install.py (+10/-0)
click/tests/test_install.py (+48/-1)
debian/changelog (+2/-0)
CVE References
Changed in click (Ubuntu): | |
assignee: | nobody → Colin Watson (cjwatson) |
importance: | Undecided → Critical |
status: | New → Triaged |
status: | Triaged → In Progress |
summary: |
- click install does not ignore shipped files wihout './' + click install does not ignore shipped files without leading './' |
information type: | Private Security → Public Security |
Changed in click (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in click (Ubuntu Vivid): | |
status: | New → In Progress |
Changed in click (Ubuntu Trusty): | |
importance: | Undecided → Critical |
Changed in click (Ubuntu Vivid): | |
importance: | Undecided → Critical |
Changed in click (Ubuntu Trusty): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in click (Ubuntu Vivid): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in canonical-devices-system-image: | |
importance: | Undecided → Critical |
milestone: | none → ww40-2015 |
status: | New → In Progress |
tags: | added: hotfix |
Changed in click (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
Changed in click (Ubuntu Vivid): | |
status: | In Progress → Fix Committed |
Changed in click (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in canonical-devices-system-image: | |
status: | In Progress → Fix Committed |
Changed in canonical-devices-system-image: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This bug was fixed in the package click - 0.4.39. 1+15.10. 20150702- 0ubuntu2
--------------- 1+15.10. 20150702- 0ubuntu2) wily; urgency=medium
click (0.4.39.
* SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
can be used to install alternate security policy than what is defined
- click/install.py: Forbid installing packages with data tarball members
whose names do not start with "./". Patch thanks to Colin Watson.
- CVE-2015-XXXX
- LP: #1506467
-- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 09:16:17 -0500