click install does not ignore shipped files without leading './'
Bug #1506467 reported by
Jamie Strandboge
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical System Image |
Fix Released
|
Critical
|
Unassigned | ||
| click (Ubuntu) |
Fix Released
|
Critical
|
Colin Watson | ||
| Trusty |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Vivid |
Fix Released
|
Critical
|
Jamie Strandboge | ||
| Wily |
Fix Released
|
Critical
|
Colin Watson | ||
Bug Description
The click install process does not filter out all illegitimate paths during the install process. For example, an app can ship '.click' in data.tar.gz which interferes with package installs. './.click/' is correctly filtered.
Related branches
lp:~cjwatson/click/audit-missing-dot-slash
- Michael Vogt: Approve
-
Diff: 125 lines (+60/-1)3 files modifiedclick/install.py (+10/-0)
click/tests/test_install.py (+48/-1)
debian/changelog (+2/-0)
CVE References
| Changed in click (Ubuntu): | |
| assignee: | nobody → Colin Watson (cjwatson) |
| importance: | Undecided → Critical |
| status: | New → Triaged |
| status: | Triaged → In Progress |
| summary: |
- click install does not ignore shipped files wihout './' + click install does not ignore shipped files without leading './' |
| information type: | Private Security → Public Security |
| Changed in click (Ubuntu Trusty): | |
| status: | New → In Progress |
| Changed in click (Ubuntu Vivid): | |
| status: | New → In Progress |
| Changed in click (Ubuntu Trusty): | |
| importance: | Undecided → Critical |
| Changed in click (Ubuntu Vivid): | |
| importance: | Undecided → Critical |
| Changed in click (Ubuntu Trusty): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in click (Ubuntu Vivid): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in canonical-devices-system-image: | |
| importance: | Undecided → Critical |
| milestone: | none → ww40-2015 |
| status: | New → In Progress |
| tags: | added: hotfix |
| Changed in click (Ubuntu Wily): | |
| status: | In Progress → Fix Committed |
| Changed in click (Ubuntu Vivid): | |
| status: | In Progress → Fix Committed |
| Changed in click (Ubuntu Trusty): | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in click (Ubuntu Wily): | |
| status: | Fix Committed → Fix Released |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in click (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in click (Ubuntu Vivid): | |
| status: | Fix Committed → Fix Released |
| Changed in canonical-devices-system-image: | |
| status: | In Progress → Fix Committed |
| Changed in canonical-devices-system-image: | |
| status: | Fix Committed → Fix Released |
Revision history for this message
| Steve Beattie (sbeattie) wrote | #4 |
To post a comment you must log in.
This bug was fixed in the package click - 0.4.39.
---------------
click (0.4.39.
* SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
can be used to install alternate security policy than what is defined
- click/install.py: Forbid installing packages with data tarball members
whose names do not start with "./". Patch thanks to Colin Watson.
- CVE-2015-XXXX
- LP: #1506467
-- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 09:16:17 -0500