Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5693E986.2010705@canonical.com>
Date: Mon, 11 Jan 2016 11:42:30 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security <security@...ntu.com>
Subject: CVE Request: click


Hi MITRE, all,

A vulnerability was discovered in the click package system:
https://launchpad.net/bugs/1506467
http://www.ubuntu.com/usn/usn-2771-1/

It was fixed in 0.4.42 with:
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554

This is an input sanitization bug where click assumed leading paths were always
prefixed with './' which, for example, allows a crafted click to ship a '.click'
directory to manipulate the click install process.

Can we get a CVE for this?

Thanks!

-- 
Jamie Strandboge                 http://www.ubuntu.com/



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.