touch-packages team mailing list archive

Thread
Date

[Bug 1506467] Re: click install does not ignore shipped files without leading './'

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1506467@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Oct 2015 19:28:49 -0000
Reply-to: Bug 1506467 <1506467@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package click - 0.4.38.5ubuntu0.2

---------------
click (0.4.38.5ubuntu0.2) vivid-security; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <jamie@xxxxxxxxxx>  Thu, 15 Oct 2015 10:00:20 -0500

** Changed in: click (Ubuntu Vivid)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1506467

Title:
  click install does not ignore shipped files without leading './'

Status in Canonical System Image:
  In Progress
Status in click package in Ubuntu:
  Fix Released
Status in click source package in Trusty:
  Fix Released
Status in click source package in Vivid:
  Fix Released
Status in click source package in Wily:
  Fix Released

Bug description:
  The click install process does not filter out all illegitimate paths
  during the install process. For example, an app can ship '.click' in
  data.tar.gz which interferes with package installs. './.click/' is
  correctly filtered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1506467/+subscriptions