CVE-2015-8768

Name: CVE-2015-8768
Creator: NVD / NIST
Published: 2017-02-13T18:59:00.267+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.75%

Last modified Jun 17, 2026

CVE-2015-8768 is a vulnerability of currently unknown severity. click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.. EPSS estimates a 2.75% chance of exploitation in the next 30 days.

Description

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.

Metrics

EPSS Probability

2.75%

84.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-264

Affected Software

Vendor	Product	Versions
Click Project	Click	All versions
Canonical	Ubuntu Linux	14.04
Canonical	Ubuntu Linux	15.04

References

http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
http://ubuntu.com/usn/usn-2771-1Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/12/8Mailing List, Patch, Third Party Advisory
http://www.securityfocus.com/bid/96386Third Party Advisory, VDB Entry
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467Issue Tracking, Patch, Third Party Advisory
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554Issue Tracking, Patch, Third Party Advisory
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF
http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
http://ubuntu.com/usn/usn-2771-1Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/12/8Mailing List, Patch, Third Party Advisory
http://www.securityfocus.com/bid/96386Third Party Advisory, VDB Entry
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467Issue Tracking, Patch, Third Party Advisory
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554Issue Tracking, Patch, Third Party Advisory
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF

Timeline

Published: Feb 13, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-8768?

How severe is CVE-2015-8768?

Severity scoring for CVE-2015-8768 is pending analysis. The EPSS model estimates a 2.75% probability of exploitation in the next 30 days.

How do I fix CVE-2015-8768?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-8768?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST