Date: Tue, 12 Jan 2016 08:37:02 -0600 From: Jamie Strandboge <jamie@...onical.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, security <security@...ntu.com> Subject: Re: CVE Request: click I forgot to CC cve-assign@...re.org on the initial request so bringing them in the loop now. On 01/11/2016 11:42 AM, Jamie Strandboge wrote: > > Hi MITRE, all, > > A vulnerability was discovered in the click package system: > https://launchpad.net/bugs/1506467 > http://www.ubuntu.com/usn/usn-2771-1/ > > It was fixed in 0.4.42 with: > https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 > > This is an input sanitization bug where click assumed leading paths were always > prefixed with './' which, for example, allows a crafted click to ship a '.click' > directory to manipulate the click install process. > > Can we get a CVE for this? > > Thanks! > -- Jamie Strandboge http://www.ubuntu.com/ Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.