touch-packages team mailing list archive

[Launchpad Bug Tracker <1479001@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package click -
0.4.40+15.10.20151006-0ubuntu1.1

---------------
click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <jamie@xxxxxxxxxx>  Thu, 15 Oct 2015 11:13:36 -0500

** Changed in: click (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1479001

Title:
  Older version of a user installed click is not updated by custom or
  base pre-installed clicks with a more recent version

Status in Canonical System Image:
  Fix Released
Status in The Savilerow project:
  Fix Released
Status in click package in Ubuntu:
  Fix Released

Bug description:
  When click is asked to list the set of packages for a given user, it
  walks its way down the list of databases from top (default) to bottom
  (core). For each database, it checks registrations for that user,
  followed by registrations for @all. It takes the first registration
  for any given package name that it finds.

  This results both in the user's device using the older version of the
  software, and the use and reporting of extra storage for multiple
  copies of the click package.

  Uninstalling a package with multiple copies is also confusing for
  users as only the user copy is uninstalled and the click remains in
  the list of installed apps/scopes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1479001/+subscriptions