Bug#882197: stretch-pu: package variety/0.6.3-5+deb9u1

Sun, 19 Nov 2017 21:24:56 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear Release Team,

I've prepared an update for Variety to fix some shell injection bugs caused by
crafted filenames. These fixes are backported from the 0.6.6 release which is
currently in unstable.

The debdiff is attached, and the full changelog is below:

variety (0.6.3-5+deb9u1) stretch; urgency=medium

  * Backport various security fixes from Variety 0.6.6:
    - Fix shell injection on deleting files to trash, from upstream commit
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
    - Fix shell injection in filter and clock with specially crafted
      filenames; upstream commit
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
    - Harden ImageMagick calls against potential shell injection:
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a

Best,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'testing'), (450, 'unstable'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8),
LANGUAGE=en_CA.utf8 (charmap=UTF-8)

diff -Nru variety-0.6.3/debian/changelog variety-0.6.3/debian/changelog
--- variety-0.6.3/debian/changelog      2017-05-06 16:43:32.000000000 -0700
+++ variety-0.6.3/debian/changelog      2017-11-14 12:42:11.000000000 -0800
@@ -1,3 +1,16 @@
+variety (0.6.3-5+deb9u1) stretch; urgency=medium
+
+  * Backport various security fixes from Variety 0.6.6:
+    - Fix shell injection on deleting files to trash, from upstream commit
+      
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
+    - Fix shell injection in filter and clock with specially crafted
+      filenames; upstream commit
+      
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
+    - Harden ImageMagick calls against potential shell injection:
+      
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a
+
+ -- James Lu <bitfl...@gmail.com>  Tue, 14 Nov 2017 12:42:11 -0800
+
 variety (0.6.3-5) unstable; urgency=medium
 
   * Add fix-autoscroll-high-cpu.patch backported from upstream Bzr revision
diff -Nru 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
--- 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
        1969-12-31 16:00:00.000000000 -0800
+++ 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
        2017-11-14 12:42:11.000000000 -0800
@@ -0,0 +1,65 @@
+From 475a5e076b9c8c7c83176214f84455dc78834723 Mon Sep 17 00:00:00 2001
+From: James Lu <ja...@overdrivenetworks.com>
+Date: Sun, 10 Sep 2017 10:39:13 -0700
+Subject: [PATCH 1/3] Fix shell injection on deleting to trash via specially
+ crafted filenames
+
+Rewrite this code in subprocess.call (which doesn't spawn a shell by default), 
and explicitly check whether trash programs are installed before running them.
+---
+ variety/VarietyWindow.py | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
+index b99cd1a..c9bb770 100644
+--- a/variety/VarietyWindow.py
++++ b/variety/VarietyWindow.py
+@@ -43,6 +43,10 @@ import urlparse
+ import webbrowser
+ from PIL import Image as PILImage
+ 
++# Replacement for shutil.which, which (no pun intended) only exists on Python 
3.3+
++# unless we want another 3rd party dependency.
++from distutils.spawn import find_executable
++
+ random.seed()
+ logger = logging.getLogger('variety')
+ 
+@@ -1721,14 +1725,29 @@ class VarietyWindow(Gtk.Window):
+                 def _go():
+                     self.smart.report_file(file, 'trash', async=False)
+ 
+-                    command = 'gvfs-trash "%s" || trash-put "%s" || kfmclient 
move "%s" trash:/' % (file, file, file)
+-                    logger.info(lambda: "Running trash command %s" % command)
+-                    result = os.system(command.encode('utf8'))
+-                    if result != 0:
+-                        logger.error(lambda: "Trash resulted in error code 
%d" % result)
++                    command = ''
++                    if find_executable('gvfs-trash'):
++                        command = ['gvfs-trash', file.encode('utf-8')]
++                    elif find_executable('trash-put'):
++                        command = ['trash-put', file.encode('utf-8')]
++                    elif find_executable('kfmclient'):
++                        command = ['kfmclient', 'move', file.encode('utf-8'), 
'trash:/']
++
++                    logger.info("Running trash command %s", command)
++                    if command:
++                        result = subprocess.call(command)
++                        if result != 0:
++                            logger.error("Trash resulted in error code %d", 
result)
++                            self.show_notification(
++                                _("Cannot delete"),
++                                _("Deleting to trash failed, check 
variety.log for more information."))
++                    else:
++                        logger.error("Delete to trash failed as no suitable 
program was found.")
+                         self.show_notification(
+                             _("Cannot delete"),
+-                            _("Probably there is no utility for moving to 
Trash?\nPlease install trash-cli or gvfs-bin or konquerer."))
++                            _("Deleting to trash failed because no suitable 
program is installed. "
++                              "Please install gvfs (gvfs-bin), trash-cli, or 
konqueror."))
++
+                 threading.Timer(0, _go).start()
+         except Exception:
+             logger.exception(lambda: "Exception in move_to_trash")
+-- 
+2.15.0
+
diff -Nru 
variety-0.6.3/debian/patches/0002-Fix-shell-injection-via-specially-crafted-filenames-.patch
 
variety-0.6.3/debian/patches/0002-Fix-shell-injection-via-specially-crafted-filenames-.patch
--- 
variety-0.6.3/debian/patches/0002-Fix-shell-injection-via-specially-crafted-filenames-.patch
        1969-12-31 16:00:00.000000000 -0800
+++ 
variety-0.6.3/debian/patches/0002-Fix-shell-injection-via-specially-crafted-filenames-.patch
        2017-11-14 12:42:11.000000000 -0800
@@ -0,0 +1,43 @@
+From 65722237baa996b0ef2389cea693bfeeba62b224 Mon Sep 17 00:00:00 2001
+From: James Lu <ja...@overdrivenetworks.com>
+Date: Mon, 18 Sep 2017 19:59:24 -0700
+Subject: [PATCH 2/3] Fix shell injection via specially crafted filenames in
+ filter and clock code
+
+---
+ variety/VarietyWindow.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
+index c9bb770..d5f3078 100644
+--- a/variety/VarietyWindow.py
++++ b/variety/VarietyWindow.py
+@@ -41,6 +41,7 @@ import random
+ import re
+ import urlparse
+ import webbrowser
++import pipes
+ from PIL import Image as PILImage
+ 
+ # Replacement for shutil.which, which (no pun intended) only exists on Python 
3.3+
+@@ -1161,7 +1162,7 @@ class VarietyWindow(Gtk.Window):
+ 
+         w = Gdk.Screen.get_default().get_width()
+         h = Gdk.Screen.get_default().get_height()
+-        cmd = 'convert "%s" -scale %dx%d^ ' % (filename, w, h)
++        cmd = 'convert %s -scale %dx%d^ ' % (pipes.quote(filename), w, h)
+ 
+         logger.info(lambda: "Applying filter: " + filter)
+         cmd += filter + ' '
+@@ -1179,7 +1180,7 @@ class VarietyWindow(Gtk.Window):
+ 
+         w = Gdk.Screen.get_default().get_width()
+         h = Gdk.Screen.get_default().get_height()
+-        cmd = 'convert "%s" -scale %dx%d^ ' % (filename, w, h)
++        cmd = 'convert %s -scale %dx%d^ ' % (pipes.quote(filename), w, h)
+ 
+         hoffset, voffset = 
Util.compute_trimmed_offsets(Util.get_size(filename), (w, h))
+         clock_filter = self.options.clock_filter
+-- 
+2.15.0
+
diff -Nru 
variety-0.6.3/debian/patches/0003-Harden-more-os.system-calls-against-potential-shell-.patch
 
variety-0.6.3/debian/patches/0003-Harden-more-os.system-calls-against-potential-shell-.patch
--- 
variety-0.6.3/debian/patches/0003-Harden-more-os.system-calls-against-potential-shell-.patch
        1969-12-31 16:00:00.000000000 -0800
+++ 
variety-0.6.3/debian/patches/0003-Harden-more-os.system-calls-against-potential-shell-.patch
        2017-11-14 12:42:11.000000000 -0800
@@ -0,0 +1,50 @@
+From a7c134ecd494bb878c73df9f65cb838dbb57413a Mon Sep 17 00:00:00 2001
+From: James Lu <ja...@overdrivenetworks.com>
+Date: Mon, 18 Sep 2017 20:00:28 -0700
+Subject: [PATCH 3/3] Harden more os.system calls against potential shell
+ injection
+
+---
+ variety/VarietyWindow.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
+index d5f3078..6109909 100644
+--- a/variety/VarietyWindow.py
++++ b/variety/VarietyWindow.py
+@@ -312,7 +312,7 @@ class VarietyWindow(Gtk.Window):
+                 try:
+                     os.system(
+                         "convert -size 1000x1000 xc: +noise Random 
-virtual-pixel tile "
+-                        "-motion-blur 0x20+135 -charcoal 2 -resize 50%% 
\"%s\"" % pencil_tile_filename.encode('utf8'))
++                        "-motion-blur 0x20+135 -charcoal 2 -resize 50%% %s" % 
pipes.quote(pencil_tile_filename.encode('utf8')))
+                 except Exception:
+                     logger.exception(lambda: "Could not generate 
pencil_tile.png")
+             threading.Timer(0, _generate_pencil_tile).start()
+@@ -1167,9 +1167,9 @@ class VarietyWindow(Gtk.Window):
+         logger.info(lambda: "Applying filter: " + filter)
+         cmd += filter + ' '
+ 
+-        cmd = cmd + ' "' + target_file + '"'
+-        cmd = cmd.replace("%FILEPATH%", filename)
+-        cmd = cmd.replace("%FILENAME%", os.path.basename(filename))
++        cmd += pipes.quote(target_file)
++        cmd = cmd.replace("%FILEPATH%", pipes.quote(filename))
++        cmd = cmd.replace("%FILENAME%", 
pipes.quote(os.path.basename(filename)))
+ 
+         logger.info(lambda: "ImageMagick filter cmd: " + cmd)
+         return cmd.encode('utf-8')
+@@ -1191,7 +1191,9 @@ class VarietyWindow(Gtk.Window):
+         clock_filter = time.strftime(clock_filter.encode('utf8'), 
time.localtime()).decode('utf8') # this should always be called last
+         logger.info(lambda: "Applying clock filter: " + clock_filter)
+ 
+-        cmd += clock_filter + u' "' + target_file + '"'
++        cmd += clock_filter
++        cmd += ' '
++        cmd += pipes.quote(unicode(target_file))
+         logger.info(lambda: "ImageMagick clock cmd: " + cmd)
+         return cmd.encode('utf-8')
+ 
+-- 
+2.15.0
+
diff -Nru variety-0.6.3/debian/patches/series 
variety-0.6.3/debian/patches/series
--- variety-0.6.3/debian/patches/series 2017-05-06 16:30:06.000000000 -0700
+++ variety-0.6.3/debian/patches/series 2017-11-14 12:42:11.000000000 -0800
@@ -1,3 +1,6 @@
+0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
+0002-Fix-shell-injection-via-specially-crafted-filenames-.patch
+0003-Harden-more-os.system-calls-against-potential-shell-.patch
 fix-autoscroll-high-cpu.patch
 disable-panoramio.patch
 menu-position-varargs.patch

Reply via email to