click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
| Link | Tags |
|---|---|
| http://ubuntu.com/usn/usn-2771-1 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/96386 | vdb entry third party advisory |
| http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587 | |
| https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467 | issue tracking third party advisory patch |
| https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/ | |
| https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 | issue tracking third party advisory patch |
| http://www.openwall.com/lists/oss-security/2016/01/12/8 | mailing list third party advisory patch |
| https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF |