Package: shutter Version: 0.85.1-2 Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: https://bugs.launchpad.net/shutter/+bug/1495163
Using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE: 1. Put an image in a folder called "$(xeyes)" 2. Open the image in Shutter 3. Right-click the image and click "Show in Folder" The `xeyes` program (if installed on your system) should start. Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm: sub xdg_open { my ( $self, $dialog, $link, $user_data ) = @_; system("xdg-open $link"); return TRUE; } Because `system` is used, the string is scanned for shell metacharacters[1], and if found the string is executed using a shell. [1]: http://perldoc.perl.org/functions/system.html
# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: lfara...@debian.org-20150913015632-omhhhksdbz1j2jno # target_branch: bzr+ssh://bazaar.launchpad.net/+branch/shutter/ # testament_sha1: 657f895d801b5ee567032599e2f961f4537a25db # timestamp: 2015-09-13 01:59:36 +0000 # base_revision_id: mario.kem...@googlemail.com-20141223230202-\ # b58zlfo5qb5e2cxt # # Begin patch === modified file 'share/shutter/resources/modules/Shutter/App/HelperFunctions.pm' --- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2013-08-25 18:40:51 +0000 +++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2015-09-13 01:56:32 +0000 @@ -53,7 +53,8 @@ sub xdg_open { my ( $self, $dialog, $link, $user_data ) = @_; - system("xdg-open $link"); + @args = ("xdg-open", "$link"); + system(@args); if($?){ my $response = $self->{_dialogs}->dlg_error_message( sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZZuoZoAAW9fgAAwVGf//1tE AwC///9wUAN1zXYu9esG49hKKaaU/Qyp+inpPSPSNGnk0htRkGTQBkiZNTyNDERMIAaDTQ0GgBJI CIyamntFNpANAAAA0BtSmCk8psmU9NGo0Mag0BoB6g0Ekk0hPUzRtU09PVPaQ1DT1MmQNDQBBblC nItOGKCVEFKr4EB+TV5NqXlTTXPaxEQcN441NfLGUe1jMvoUPf93Zo8lTOpwrtjxqi6rujPaNUTV CagXS99rU4yR4fKPswKdWLkQ5VnuJbY6NKVyUAsM7nT6pQRQzXzlE23uIdEQUEMMZJKbdB5pRKIy WL1scnBLBNC4at+6OQjGy1T/mLa0YWkVTkCusoYWDle1hRXrGz2YOUzUVdaddmut7OCLS7MSRXeg caOMglpIqkaoqSvYLzbAsT+V20WStwoXb7rBRTYj4ycKqQLBHRkHWCVzJ0ibdSjXciltChrcqiQF YgsAZ7MNOYQGgVgpP8OwBDLnM61xWspggxkwGN1KjeLWHDOYBhoHuD7V0EzQRjE9+BzPN6pDFd4W 5mbO1dxUQMJZ1WQhVIGoXzjJtObPAzQaMYhdAk5NBoj5hObdpkZjteVvW9dHtjvycid4PkVRV2w+ 2SStovOFXNFQht4TkHBfKUS0mWA3bXY7THAPIN9FWaZKdBn2cr0qUcSkLlR3l5pvSyxEs7LxNIXS mvErI+rurPau4IOalJSpU81T54yIjOIoquDxU/BXqXpxb5/M6chvLB2a+xbMBmGrnRJp51kfOGzQ ia23MH3Yy0rg15C2iZbPmQ5RKSoIhYUn8mUK8M6GYsayXUYgwJ0sqga7syWoa3c+w4lJ9679VCcY iAGhmyI1BsB5lIhh41Vi0gp8qriUeKTQ3/yaeBAIqYzlwY6+Mel9IVBzLrDP5vovFKZXClW3DgEQ kKjWFoUBM4OT1vC4uG0Ru71+XFsMip2uGNAODnDSsTsxOKTPeYAnGezwmNc05BJ4k2DYocSE5hjD UtjJyTOMs0Ur+cMwmmFgFHLIK5cDrA4UrVR6tdSSvozJ5EYME6tTuwnxJy71DECoNbwLYORVloIE 0ojtLgetx9uCjjOYYObUq9UOcX9cZNobWDtirXS1ZsJhU0+MrslK3DBAEEBWNjaOeMS1wDwGIbJa ma5f3PtQMadvqUGhLdV0lL1WmatWtdlWxD5LyMmc/xdyRThQkJZuoZo=