This bug was fixed in the package click - 0.4.38.5ubuntu0.2
---------------
click (0.4.38.5ubuntu0.2) vivid-security; urgency=medium
* SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
can be used to install alternate security policy than what is defined
- click/install.py: Forbid installing packages with data tarball members
whose names do not start with "./". Patch thanks to Colin Watson.
- CVE-2015-XXXX
- LP: #1506467
-- Jamie Strandboge <ja...@ubuntu.com> Thu, 15 Oct 2015 10:00:20 -0500
** Changed in: click (Ubuntu Vivid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1506467
Title:
click install does not ignore shipped files without leading './'
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1506467/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
