Salvatore Bonaccorso wrote... > CVE-2016-10081[0]: > | /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote > | attackers to execute arbitrary commands via a crafted image name that > | is mishandled during a "Run a plugin" action.
*sigh* Single-argument usage of system/exec through the shell (...)</rant>
The patch attached uses the multi-argument invocation and also changes
it in the code path for non-Perl plugins. I wasn't able to exploit the
latter since it requires a file name without an extension (more
precisely: without a dot) that shutter still is willing to open. So a
file named (*in*cluding the quotes)
' ; xeyes ; '
on the offset plugin should do the trick but shutter didn't get that
far. But that's no excuse for keeping it this way.
Still requires more testing.
Christoph
signature.asc
Description: Digital signature
