Back to search
CVE-2015-8768
Published: Feb 13, 2017
Modified: Aug 6, 2024
PUBLISHED
Description
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
USN-2771-1
vendor-advisory
x_refsource_UBUNTU
96386
vdb-entry
x_refsource_BID
http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
x_refsource_CONFIRM
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467
x_refsource_CONFIRM
[oss-security] 20160112 Re: CVE Request: click
mailing-list
x_refsource_MLIST
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now