PatchSiren cyber security CVE debrief
CVE-2015-8768 Canonical CVE debrief
CVE-2015-8768 is a critical package-installation validation flaw in click/install.py. By accepting filesystem tarball entries that do not start with './', the installer could be tricked into processing crafted package contents that install an alternate security policy and elevate privileges. NVD lists click_project:click and Ubuntu 14.04/15.04 as vulnerable, and the issue is tied to Ubuntu phone security advisories and patch tracking in the supplied references.
- Vendor
- Canonical
- Product
- CVE-2015-8768
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Administrators and maintainers who install or distribute click packages, especially on Ubuntu phone / Ubuntu Touch deployments and any legacy Ubuntu environments listed by NVD. Security teams responsible for package ingestion, mobile device management, or downstream packaging of click should treat this as high priority.
Technical summary
The vulnerable code path in click/install.py did not enforce that files inside package filesystem tarballs begin with './'. That path-validation gap weakened the expected packaging layout checks and allowed a crafted click package to carry content that could install an alternate security policy and gain privileges. The NVD record maps the issue to the click project and affected Ubuntu releases, while the linked bug, merge request, and advisory references document the remediation trail.
Defensive priority
Critical. Prioritize immediate review and patching anywhere click packages are accepted or installed from untrusted or external sources.
Recommended defensive actions
- Check whether click is installed or used to process packages in your environment.
- Apply the vendor or downstream fix referenced by Ubuntu USN 2771-1 or the related click revision if you maintain affected packages.
- Restrict installation of click packages to trusted, validated sources until the fix is confirmed.
- Review Ubuntu phone / Ubuntu 14.04 / Ubuntu 15.04 deployments and plan remediation or retirement for unsupported systems.
- Verify that downstream tooling continues to enforce the required './' prefix rule for filesystem tarball entries.
Evidence notes
The official NVD record identifies the vulnerable component, severity, CVSS vector, and affected CPEs. The supplied references include the Launchpad bug and merge request for the fix, an oss-security patch discussion, and the Ubuntu security notice that points to remediation. The disclosure timeline in the corpus also shows an Ubuntu phone security update in 2015-10, well before the CVE record publication date.
Official resources
-
CVE-2015-8768 CVE record
CVE.org
-
CVE-2015-8768 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
- Source reference
CVE record published 2017-02-13. The supplied references show earlier public remediation activity in 2015-10 and 2016-01, so the CVE publication date should not be treated as the original issue date. NVD shows the record was modified on 202