Your message dated Sat, 31 Dec 2016 21:02:33 +0000
with message-id <[email protected]>
and subject line Bug#798862: fixed in shutter 0.92-0.1+deb8u1
has caused the Debian Bug report #798862,
regarding CVE-2015-0854: Insecure use of system()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
798862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shutter
Version: 0.85.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1495163
Using the "Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1. Put an image in a folder called "$(xeyes)"
2. Open the image in Shutter
3. Right-click the image and click "Show in Folder"
The `xeyes` program (if installed on your system) should start.
Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
sub xdg_open {
my ( $self, $dialog, $link, $user_data ) = @_;
system("xdg-open $link");
return TRUE;
}
Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.
[1]: http://perldoc.perl.org/functions/system.html
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: [email protected]
# target_branch: bzr+ssh://bazaar.launchpad.net/+branch/shutter/
# testament_sha1: 657f895d801b5ee567032599e2f961f4537a25db
# timestamp: 2015-09-13 01:59:36 +0000
# base_revision_id: [email protected]\
# b58zlfo5qb5e2cxt
#
# Begin patch
=== modified file 'share/shutter/resources/modules/Shutter/App/HelperFunctions.pm'
--- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2013-08-25 18:40:51 +0000
+++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2015-09-13 01:56:32 +0000
@@ -53,7 +53,8 @@
sub xdg_open {
my ( $self, $dialog, $link, $user_data ) = @_;
- system("xdg-open $link");
+ @args = ("xdg-open", "$link");
+ system(@args);
if($?){
my $response = $self->{_dialogs}->dlg_error_message(
sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZZuoZoAAW9fgAAwVGf//1tE
AwC///9wUAN1zXYu9esG49hKKaaU/Qyp+inpPSPSNGnk0htRkGTQBkiZNTyNDERMIAaDTQ0GgBJI
CIyamntFNpANAAAA0BtSmCk8psmU9NGo0Mag0BoB6g0Ekk0hPUzRtU09PVPaQ1DT1MmQNDQBBblC
nItOGKCVEFKr4EB+TV5NqXlTTXPaxEQcN441NfLGUe1jMvoUPf93Zo8lTOpwrtjxqi6rujPaNUTV
CagXS99rU4yR4fKPswKdWLkQ5VnuJbY6NKVyUAsM7nT6pQRQzXzlE23uIdEQUEMMZJKbdB5pRKIy
WL1scnBLBNC4at+6OQjGy1T/mLa0YWkVTkCusoYWDle1hRXrGz2YOUzUVdaddmut7OCLS7MSRXeg
caOMglpIqkaoqSvYLzbAsT+V20WStwoXb7rBRTYj4ycKqQLBHRkHWCVzJ0ibdSjXciltChrcqiQF
YgsAZ7MNOYQGgVgpP8OwBDLnM61xWspggxkwGN1KjeLWHDOYBhoHuD7V0EzQRjE9+BzPN6pDFd4W
5mbO1dxUQMJZ1WQhVIGoXzjJtObPAzQaMYhdAk5NBoj5hObdpkZjteVvW9dHtjvycid4PkVRV2w+
2SStovOFXNFQht4TkHBfKUS0mWA3bXY7THAPIN9FWaZKdBn2cr0qUcSkLlR3l5pvSyxEs7LxNIXS
mvErI+rurPau4IOalJSpU81T54yIjOIoquDxU/BXqXpxb5/M6chvLB2a+xbMBmGrnRJp51kfOGzQ
ia23MH3Yy0rg15C2iZbPmQ5RKSoIhYUn8mUK8M6GYsayXUYgwJ0sqga7syWoa3c+w4lJ9679VCcY
iAGhmyI1BsB5lIhh41Vi0gp8qriUeKTQ3/yaeBAIqYzlwY6+Mel9IVBzLrDP5vovFKZXClW3DgEQ
kKjWFoUBM4OT1vC4uG0Ru71+XFsMip2uGNAODnDSsTsxOKTPeYAnGezwmNc05BJ4k2DYocSE5hjD
UtjJyTOMs0Ur+cMwmmFgFHLIK5cDrA4UrVR6tdSSvozJ5EYME6tTuwnxJy71DECoNbwLYORVloIE
0ojtLgetx9uCjjOYYObUq9UOcX9cZNobWDtirXS1ZsJhU0+MrslK3DBAEEBWNjaOeMS1wDwGIbJa
ma5f3PtQMadvqUGhLdV0lL1WmatWtdlWxD5LyMmc/xdyRThQkJZuoZo=
--- End Message ---
--- Begin Message ---
Source: shutter
Source-Version: 0.92-0.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
shutter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <[email protected]> (supplier of updated shutter
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 Dec 2016 19:00:20 +0100
Source: shutter
Binary: shutter
Architecture: source all
Version: 0.92-0.1+deb8u1
Distribution: proposed-updates
Urgency: high
Maintainer: Ryan Niebur <[email protected]>
Changed-By: Christoph Biedl <[email protected]>
Description:
shutter - feature-rich screenshot program
Closes: 798862
Changes:
shutter (0.92-0.1+deb8u1) jessie; urgency=high
.
* Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
Checksums-Sha1:
24264a6265bb3e22fed37313f262b423360b02c1 1845 shutter_0.92-0.1+deb8u1.dsc
79d4043d993d3291d2ee803900b1d0295d075b06 4736
shutter_0.92-0.1+deb8u1.debian.tar.xz
f7c32fda21186d71ced34d5afc64cd1a81ccfc09 1583932
shutter_0.92-0.1+deb8u1_all.deb
Checksums-Sha256:
0104164bbe93274861601ac0bdbde76844ef68c5c99ba97e785c627dfaf5cdfa 1845
shutter_0.92-0.1+deb8u1.dsc
ca7b9a04d3fb17341133f3ec1b463b40dee5d8096a3ae2ddb900ce2ccb10454b 4736
shutter_0.92-0.1+deb8u1.debian.tar.xz
8f54d146dc1b2b48409893004ff20eedc576154f2d501d3f72ce127e6001a7fd 1583932
shutter_0.92-0.1+deb8u1_all.deb
Files:
cc4fee14435c9bfeed5a4fad0c23e68d 1845 graphics optional
shutter_0.92-0.1+deb8u1.dsc
da644e5192a3cbbc7c0f7367ac822d32 4736 graphics optional
shutter_0.92-0.1+deb8u1.debian.tar.xz
1bc556d6762a3a6d607444edaf40ade8 1583932 graphics optional
shutter_0.92-0.1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJYYrNAAAoJEMQsWOtZFJL9OF4P/2e41aPt52KkPZrsreZYVaAt
DyjIhlNm34hjb1+LpEtBeHEie6aND4zJUDDAnzl+41K2BrytBzboXy30I3MQni6K
h4rntKDtH7CRA4YJSRIw5TxGWpwJeAk+5EwG0QEHlELiYUHhH/EzrQQr4xWigcyn
UbbpjL5QgfPRpijWaFf1/9HVLop63FsSf0FTjSRf8h7h7MrYAKTcrT66hbcUuAEh
K6Ahm71DvlbNt7jngHODTlyzQM+s0T9hJ9zQH9eM3mFbxqaabp8GX3eQdUXlqF6a
1GVfSbKugBXmFKxu3+gNKjDMMh4NN3lf9EgR33ibNG6wjg3BOnrwar1iuIi3xmoa
TulKcrBQKtow15BSiKKOR9MtawZdidzAVdVkVu2LktHGFSW5tUjjcOTxAvbX/3+4
fozVAJYBLKzPc819O2mw7nEgDwXzgNbIcosj4J5QnzK3xb2Gj2PB58pvpzBRcb+C
V+Tm7n0glTYyQujAvMpNg+FayD4EThluep4w1wZegdmwA8R78fF8xibT4Pp2ykD1
ed+ampdHqplgBJ6+xU7W83sLAPeACJemdHOXIXJWcDBSeTpiQI/rx4QD5bnVSkGC
XrjrVJ7bHvX94sKpt/g5Hjy1NRX4eJbuq1V3CgQrFbs+CfN8nX5dyNl1BolEKOSW
IgQRKqK7e2ap0lfl3Oiz
=8sch
-----END PGP SIGNATURE-----
--- End Message ---
