Date: Mon, 11 Jan 2016 11:42:30 -0600 From: Jamie Strandboge <jamie@...onical.com> To: oss-security@...ts.openwall.com Cc: security <security@...ntu.com> Subject: CVE Request: click Hi MITRE, all, A vulnerability was discovered in the click package system: https://launchpad.net/bugs/1506467 http://www.ubuntu.com/usn/usn-2771-1/ It was fixed in 0.4.42 with: https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 This is an input sanitization bug where click assumed leading paths were always prefixed with './' which, for example, allows a crafted click to ship a '.click' directory to manipulate the click install process. Can we get a CVE for this? Thanks! -- Jamie Strandboge http://www.ubuntu.com/ Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.