CVE-2015-8768
CRITICALclick - Unauthenticated Arbitrary File Write via Package Filesystem Tarball
Title source: llmDescription
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
References (8)
Core 8
Core References
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://ubuntu.com/usn/usn-2771-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96386
Various Sources x_refsource_confirm
http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467
Various Sources x_refsource_confirm
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/12/8
Various Sources x_refsource_misc
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF
Scores
CVSS v3
9.8
EPSS
0.0275
EPSS Percentile
84.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-264
Status
published
Products (3)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
15.04
click_project/click
Published
Feb 13, 2017
Tracked Since
Feb 18, 2026