Salvatore Bonaccorso wrote... > CVE-2016-10081[0]: > | /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote > | attackers to execute arbitrary commands via a crafted image name that > | is mishandled during a "Run a plugin" action.
*sigh* Single-argument usage of system/exec through the shell (...)</rant> The patch attached uses the multi-argument invocation and also changes it in the code path for non-Perl plugins. I wasn't able to exploit the latter since it requires a file name without an extension (more precisely: without a dot) that shutter still is willing to open. So a file named (*in*cluding the quotes) ' ; xeyes ; ' on the offset plugin should do the trick but shutter didn't get that far. But that's no excuse for keeping it this way. Still requires more testing. Christoph
signature.asc
Description: Digital signature