← Back to team overview

touch-packages team mailing list archive

[Bug 1506467] Re: click install does not ignore shipped files without leading './'

 

This was assigned CVE-2015-8768, see http://www.openwall.com/lists/oss-
security/2016/01/12/8

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8768

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1506467

Title:
  click install does not ignore shipped files without leading './'

Status in Canonical System Image:
  Fix Released
Status in click package in Ubuntu:
  Fix Released
Status in click source package in Trusty:
  Fix Released
Status in click source package in Vivid:
  Fix Released
Status in click source package in Wily:
  Fix Released

Bug description:
  The click install process does not filter out all illegitimate paths
  during the install process. For example, an app can ship '.click' in
  data.tar.gz which interferes with package installs. './.click/' is
  correctly filtered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1506467/+subscriptions