Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Jan 2016 11:57:30 -0500 (EST)
From: cve-assign@...re.org
To: jamie@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...ntu.com
Subject: Re: CVE Request: click

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://launchpad.net/bugs/1506467
> http://www.ubuntu.com/usn/usn-2771-1/
> https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554
> 
> assumed leading paths were always
> prefixed with './' which, for example, allows a crafted click to ship a '.click'
> directory to manipulate the click install process.
 
>> if data_name != "." and not data_name.startswith("./"):
>>     raise ClickInstallerAuditError

Use CVE-2015-8768.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWlS/iAAoJEL54rhJi8gl5tHIQAMyB+enXDpb+lK2WC84HhPLL
XdlCCbjTSnl9PofiLnvizcJgzy5V7C71mLpFjNT8QMiIr05YjjVW5Wp9uYpcgQPQ
/+LJ5r88cIt1aTwkrUTZ8wohLw6i6PmGZwSGS/QyZW54TbRKQP4KG4vefvOr2BT5
9d6upF0reFD+72MJN+oWebNoQg0aIzYraGjf5f/QoBEjVKlCxxZsfOape23jvY5t
lFpP8uC58PCCVr9r0bUZ+ukiQkTxZM8ccVZjkQhej1lLne1OCXbh7kWabcWGPSUu
1m+RGADGd3GNEkB6yPzYZP4fxi6TOhdyZM2MzP6q/AAQ9VK3b508EtYY0qgwnIXU
BoHUNT6o8ZVTaIkjO6VVYipfoY1xR+9aOPHxioKRqfSg76LAfAzVxHwUa9BnMzC8
h+DuA/LtxWpHzUSgGNy5azTpHX2XDOJ7nFUx90e64GnK6WrSNXbjIqVvmsk8By6b
UyXu7VnGtQxOgvZyisFYJoSLWCBqtoaxDhXwxi5TItbgxxUbpO2MJHX8JT7E/13J
LqDFO1P5trolISjUTdLAEaZhdlLOHSpGw0Fifu7BOsiwHbU5XI1o8uz52BfFWJiI
lvkqu4jBcTbP99HQ2mAjM0IlcJJ+4S5ebEA6VKlECrZKCfIv3hdJAs9G8l+xn+4N
UQysNOQCezuf9L1x/sjo
=NCgJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ