CVE-2015-8768

Publication date 13 February 2017

Last updated 25 August 2025

Ubuntu priority

Critical

Why this priority?

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

Description

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.

Read the notes from the security team

Status

Package Ubuntu Release Status
click 15.04 vivid
Fixed 0.4.38.5ubuntu0.2
14.04 LTS trusty
Fixed 0.4.21.1ubuntu0.2
12.04 LTS precise Not in release

Notes

jdstrand

app can ship a crafted .click directory that can be used to trick click into installing unintended security policy snappy not affected per me and mvo patch from cjwatson, but not committed to bzr yet updates also needed for vivid stable-phone-overlay and wily stable-phone-overlay.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
click

Severity score breakdown

CVSS version: CVSS v3.0

Base score 9.8 · Critical

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities