oss-security - Re: CVE Request: click

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <56950F8E.1020907@canonical.com>
Date: Tue, 12 Jan 2016 08:37:02 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, security <security@...ntu.com>
Subject: Re: CVE Request: click


I forgot to CC cve-assign@...re.org on the initial request so bringing them in
the loop now.


On 01/11/2016 11:42 AM, Jamie Strandboge wrote:
> 
> Hi MITRE, all,
> 
> A vulnerability was discovered in the click package system:
> https://launchpad.net/bugs/1506467
> http://www.ubuntu.com/usn/usn-2771-1/
> 
> It was fixed in 0.4.42 with:
> https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554
> 
> This is an input sanitization bug where click assumed leading paths were always
> prefixed with './' which, for example, allows a crafted click to ship a '.click'
> directory to manipulate the click install process.
> 
> Can we get a CVE for this?
> 
> Thanks!
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.