Package: shutter
Version: 0.85.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1495163
Using the "Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1. Put an image in a folder called "$(xeyes)"
2. Open the image in Shutter
3. Right-click the image and click "Show in Folder"
The `xeyes` program (if installed on your system) should start.
Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
sub xdg_open {
my ( $self, $dialog, $link, $user_data ) = @_;
system("xdg-open $link");
return TRUE;
}
Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.
[1]: http://perldoc.perl.org/functions/system.html
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: lfara...@debian.org-20150913015632-omhhhksdbz1j2jno
# target_branch: bzr+ssh://bazaar.launchpad.net/+branch/shutter/
# testament_sha1: 657f895d801b5ee567032599e2f961f4537a25db
# timestamp: 2015-09-13 01:59:36 +0000
# base_revision_id: mario.kem...@googlemail.com-20141223230202-\
# b58zlfo5qb5e2cxt
#
# Begin patch
=== modified file 'share/shutter/resources/modules/Shutter/App/HelperFunctions.pm'
--- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2013-08-25 18:40:51 +0000
+++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2015-09-13 01:56:32 +0000
@@ -53,7 +53,8 @@
sub xdg_open {
my ( $self, $dialog, $link, $user_data ) = @_;
- system("xdg-open $link");
+ @args = ("xdg-open", "$link");
+ system(@args);
if($?){
my $response = $self->{_dialogs}->dlg_error_message(
sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZZuoZoAAW9fgAAwVGf//1tE
AwC///9wUAN1zXYu9esG49hKKaaU/Qyp+inpPSPSNGnk0htRkGTQBkiZNTyNDERMIAaDTQ0GgBJI
CIyamntFNpANAAAA0BtSmCk8psmU9NGo0Mag0BoB6g0Ekk0hPUzRtU09PVPaQ1DT1MmQNDQBBblC
nItOGKCVEFKr4EB+TV5NqXlTTXPaxEQcN441NfLGUe1jMvoUPf93Zo8lTOpwrtjxqi6rujPaNUTV
CagXS99rU4yR4fKPswKdWLkQ5VnuJbY6NKVyUAsM7nT6pQRQzXzlE23uIdEQUEMMZJKbdB5pRKIy
WL1scnBLBNC4at+6OQjGy1T/mLa0YWkVTkCusoYWDle1hRXrGz2YOUzUVdaddmut7OCLS7MSRXeg
caOMglpIqkaoqSvYLzbAsT+V20WStwoXb7rBRTYj4ycKqQLBHRkHWCVzJ0ibdSjXciltChrcqiQF
YgsAZ7MNOYQGgVgpP8OwBDLnM61xWspggxkwGN1KjeLWHDOYBhoHuD7V0EzQRjE9+BzPN6pDFd4W
5mbO1dxUQMJZ1WQhVIGoXzjJtObPAzQaMYhdAk5NBoj5hObdpkZjteVvW9dHtjvycid4PkVRV2w+
2SStovOFXNFQht4TkHBfKUS0mWA3bXY7THAPIN9FWaZKdBn2cr0qUcSkLlR3l5pvSyxEs7LxNIXS
mvErI+rurPau4IOalJSpU81T54yIjOIoquDxU/BXqXpxb5/M6chvLB2a+xbMBmGrnRJp51kfOGzQ
ia23MH3Yy0rg15C2iZbPmQ5RKSoIhYUn8mUK8M6GYsayXUYgwJ0sqga7syWoa3c+w4lJ9679VCcY
iAGhmyI1BsB5lIhh41Vi0gp8qriUeKTQ3/yaeBAIqYzlwY6+Mel9IVBzLrDP5vovFKZXClW3DgEQ
kKjWFoUBM4OT1vC4uG0Ru71+XFsMip2uGNAODnDSsTsxOKTPeYAnGezwmNc05BJ4k2DYocSE5hjD
UtjJyTOMs0Ur+cMwmmFgFHLIK5cDrA4UrVR6tdSSvozJ5EYME6tTuwnxJy71DECoNbwLYORVloIE
0ojtLgetx9uCjjOYYObUq9UOcX9cZNobWDtirXS1ZsJhU0+MrslK3DBAEEBWNjaOeMS1wDwGIbJa
ma5f3PtQMadvqUGhLdV0lL1WmatWtdlWxD5LyMmc/xdyRThQkJZuoZo=
