--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I've prepared an upload of shutter for stable. The new version
includes two patches:
- - one fixing CVE-2016-10081 / #849777
- - another one which dod uploaded together with this one as 0.93.1-1.3
in January which is also security relevant (replaces
system("string") with system(@array)).
Full debdiff attached.
Cheers,
gregor
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlkgqZJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbWNA/8DPTaKOesYQ4tMjj580foTMqUu+G3qEk/UgqFhkhAFNoBXRJKVPiF4tkL
V10CgEpEySMee18bVLSk08nWb0NJmuP8OSlcw43nspI2nRZIum7Vnsyf9rhOEd2o
0SzW8Z1/cNsRWhgy2UP5esinZmu9/djJBmSfc5E7bzH3tIYHc0H2wfnhys3uYOLk
yyoCZf5u1JA/cTFRcIgGmX60PhrtZMPRtN3x63JYKCOqGPR4rBrb9aii4etKetEh
lXMj8hF2ZShnJDXTXuI+rtq5i3KPuAhBr5bjqXuQJ4g2C8L1KHG9HYQB5XZNaafn
7oOa39fQXVA52hf/WBM6y+YICkO2EuVS+6bNcEJfWQaQN19NX/YdpkkzxCyuv3/Q
rMNRHt9B3tZDeD99tGhvG8RbKyZbfbML+xfcOELLXNZhf+LjWb6hE4rtLJUirgB6
7FmiQwvOLPZc1tHXjLGEC6cvUt7jI95ZOCiQc/OtxrWPmRmJH88mYQJP1EQA0+gm
RBQf6PlDvKMN+9/zPZxhK4lZbuQz6NN27B1De9f5kB2hESQphzCBpVqSs4ytsekc
hGYGFt98igVGrZo244Of3FOSCZd0fxFCzaxOm0R2op/Z+AQgMmhiPY+0bO2fWYTc
dkbLqtxwNZQEh3vesb08NN1bZUeXRshybi85g9TIam5QQBKFs64=
=KPfu
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 009a696..af656ed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+shutter (0.92-0.1+deb8u2) UNRELEASED; urgency=medium
+
+ [ Dominique Dumont ]
+ * add patch to fix CVE-2016-10081 (Closes: #849777)
+ * add patch to secure system() calls
+
+ -- gregor herrmann <gre...@debian.org> Sat, 20 May 2017 22:30:53 +0200
+
shutter (0.92-0.1+deb8u1) jessie; urgency=high
* Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
diff --git a/debian/patches/CVE-2016-10081.patch
b/debian/patches/CVE-2016-10081.patch
new file mode 100644
index 0000000..edd2ff8
--- /dev/null
+++ b/debian/patches/CVE-2016-10081.patch
@@ -0,0 +1,42 @@
+Bug: https://bugs.launchpad.net/shutter/+bug/1652600
+Bug-Debian: https://bugs.debian.org/849777
+Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
+Description: fix insecure use of perl exec()
+ The patch attached uses the multi-argument invocation and also changes
+ it in the code path for non-Perl plugins.
+--- a/bin/shutter
++++ b/bin/shutter
+@@ -7159,8 +7159,13 @@
+ elsif ( $pid == 0 ) {
+
+ #see Bug #661424
+- my $qfilename = quotemeta $session_screens{$key}->{'long'};
+- exec( sprintf( "$^X $plugin_value %d $qfilename
$session_screens{$key}->{'width'} $session_screens{$key}->{'height'}
$session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
++ #my $qfilename = quotemeta $session_screens{$key}->{'long'};
++ exec( $^X, $plugin_value,
++ $socket->get_id,
++ $session_screens{$key}->{'long'},
++ $session_screens{$key}->{'width'},
++ $session_screens{$key}->{'height'},
++ $session_screens{$key}->{'filetype'} );
+ }
+
+ $sdialog->show_all;
+@@ -7193,11 +7198,15 @@
+ my $plugin_process = Proc::Simple->new;
+
+ #see Bug #661424
+- my $qfilename = quotemeta $session_screens{$key}->{'long'};
++ #my $qfilename = quotemeta $session_screens{$key}->{'long'};
+
+ $plugin_process->start(
+ sub {
+- system("'$plugin_value' $qfilename
'$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}'
'$session_screens{$key}->{'filetype'}' ");
++ system( $plugin_value,
++ $session_screens{$key}->{'long'},
++ $session_screens{$key}->{'width'},
++ $session_screens{$key}->{'height'},
++ $session_screens{$key}->{'filetype'} );
+ POSIX::_exit(0);
+ }
+ );
diff --git a/debian/patches/fix-perl-system-calls
b/debian/patches/fix-perl-system-calls
new file mode 100644
index 0000000..6de4ac5
--- /dev/null
+++ b/debian/patches/fix-perl-system-calls
@@ -0,0 +1,268 @@
+Author: dod
+Description: Fix perl system calls
+ This patch replaces all system("big string") calls to
+ system(@big_list) in all plugins to avoid problems similar to CVE-2016-10081.
+--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
+@@ -349,9 +349,6 @@
+
+ sub apply_effect {
+
+- #quote filename
+- my $qfilename = quotemeta $filename;
+-
+ if ( $use_caption ) {
+
+ my $text = $caption_entry->get_text;
+@@ -360,27 +357,32 @@
+ $text = quotemeta $text;
+
+ my $color = $stroke_color->get_color;
+-
+- system( "convert -caption "
+- . $text
+- . " -fill '"
+- . sprintf( "#%04x%04x%04x%04x", $color->red,
$color->green, $color->blue, $stroke_color->get_alpha )
+- . "' $qfilename -pointsize "
+- . $pointsize_sbutton->get_value
+- . " -gravity "
+- . $gravity_combo->get_active_text
+- . " -bordercolor snow "
+- . " -background black "
+- . " -polaroid "
+- . $angle_sbutton->get_value
+- . " $tmpfilename" );
+-
++
++ system(
++ convert =>
++ -caption => $text,
++ -fill => sprintf( "#%04x%04x%04x%04x",
++ $color->red,
++ $color->green,
++ $color->blue,
++ $stroke_color->get_alpha
++ ),
++ $filename,
++ -pointsize => $pointsize_sbutton->get_value,
++ -gravity => $gravity_combo->get_active_text,
++ qw/-bordercolor snow -background black/,
++ -polaroid => $angle_sbutton->get_value,
++ $tmpfilename
++ );
+ } else {
+-
+- system( "convert $qfilename -bordercolor white -border 6
-bordercolor grey60 -border 1 -background none -rotate "
+- . $angle_sbutton->get_value
+- . " -background black \\( +clone -shadow
60x4+4+4 \\) +swap -background none -flatten $tmpfilename" );
+-
++ system(
++ convert => $filename,
++ qw/-bordercolor white -border 6 -bordercolor grey60 -border 1
-background none/,
++ -rotate => $angle_sbutton->get_value,
++ -background => 'black',
++ qw/( +clone -shadow 60x4+4+4 ) +swap -background none/,
++ -flatten => $tmpfilename
++ );
+ }
+
+ }
+--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
+@@ -342,33 +342,27 @@
+ $text = strftime $text, localtime;
+ $text = quotemeta $text;
+
+- #quote filename
+- my $qfilename = quotemeta $filename;
+-
+ my $psize = $pointsize_sbutton->get_value;
+
+ my $color = $stroke_color->get_color;
+
+- #execute imagemagick command
+- system( "convert "
+- . "-background '#00000000'"
+- . " -fill '"
+- . sprintf( "#%04x%04x%04x%04x", $color->red,
$color->green, $color->blue, $stroke_color->get_alpha )
+- . "' -pointsize "
+- . $psize
+- . " -gravity "
+- . $gravity_combo->get_active_text
+- . " -rotate "
+- . $angle_sbutton->get_value
+- . " label:"
+- . $text
+- . " $tmpfilename" );
+-
+- system("composite $tmpfilename"
+- . " -gravity "
+- . $gravity_combo->get_active_text
+- . " $qfilename"
+- . " $tmpfilename2" );
++ #execute imagemagick command
++ system(
++ convert =>
++ -background => '#00000000',
++ -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green,
$color->blue, $stroke_color->get_alpha ),
++ -pointsize => $psize,
++ -gravity => $gravity_combo->get_active_text,
++ -rotate => $angle_sbutton->get_value,
++ "label:$text",
++ $tmpfilename
++ );
++
++ system(
++ composite => $tmpfilename,
++ -gravity => $gravity_combo->get_active_text,
++ $filename => $tmpfilename2
++ );
+
+ }
+
+--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow
++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow
+@@ -368,24 +368,22 @@
+ $direction2 = "80x3-1-1";
+ }
+
+- #quote filename
+- my $qfilename = quotemeta $filename;
+-
+- #execute imagemagick command
+- system( "convert"
+- . " $qfilename"
+- . " -gravity northwest -background
'rgba(255,255,255,0)' -splice 10x10"
+- . " \\( +clone -background '"
+- . sprintf( "#%04x%04x%04x%04x", $scolor->red,
$scolor->green, $scolor->blue, $shadow_color->get_alpha )
+- . "' -shadow "
+- . $direction2
+- . " \\) +swap -background none -mosaic +repage"
+- . " \\( +clone -background '"
+- . sprintf( "#%04x%04x%04x%04x", $scolor->red,
$scolor->green, $scolor->blue, $shadow_color->get_alpha )
+- . "' -shadow "
+- . $direction1
+- . " \\) +swap -background none -mosaic +repage"
+- . " $tmpfilename" );
++ #execute imagemagick command
++ system(
++ convert => $filename,
++ -gravity => 'northwest',
++ -background => 'rgba(255,255,255,0)',
++ -splice => '10x10',
++ qw/( +clone/,
++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red,
$scolor->green, $scolor->blue, $shadow_color->get_alpha ),
++ -shadow => $direction2,
++ qw/) +swap -background none -mosaic +repage/,
++ qw/( +clone/,
++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red,
$scolor->green, $scolor->blue, $shadow_color->get_alpha ),
++ -shadow => $direction1,
++ qw/) +swap -background none -mosaic +repage/,
++ $tmpfilename
++ );
+
+ }
+
+---
a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
++++
b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
+@@ -386,24 +386,13 @@
+
+ my $color = $back_color->get_color;
+
+- #quote filename
+- my $qfilename = quotemeta $filename;
+-
+ #execute imagemagick command
+- system( "convert"
+- . " -virtual-pixel Background -background '"
+- . sprintf( "#%04x%04x%04x%04x", $color->red,
$color->green, $color->blue, $back_color->get_alpha )
+- . "' -distort Barrel '"
+- . $c1_sbutton->get_value
+- . " "
+- . $c2_sbutton->get_value
+- . " "
+- . $c3_sbutton->get_value
+- . " "
+- . $c4_sbutton->get_value
+- . "' $qfilename"
+- . " $tmpfilename" );
+-
++ system (
++ qw/convert -virtual-pixel Background/,
++ -background => sprintf( "#%04x%04x%04x%04x", $color->red,
$color->green, $color->blue, $back_color->get_alpha ),
++ -distort => Barrel => join(' ',$c1_sbutton->get_value,
$c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value),
++ $filename, $tmpfilename
++ );
+ }
+
+ sub fct_update_gui {
+--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
+@@ -69,7 +69,13 @@
+ $self->{_url} = "http://".$self->{_url};
+ }
+
+- system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo
--width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'");
++ system(
++ 'gnome-web-photo',
++ '--timeout='.$self->{_timeout},
++ '--mode=photo',
++ '--width='.$self->{_width},
++ $self->{_url}, $self->{_dest_filename}
++ );
+
+ return TRUE;
+ }
+--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+@@ -53,8 +53,7 @@
+
+ sub xdg_open {
+ my ( $self, $dialog, $link, $user_data ) = @_;
+- my @args = ("xdg-open", $link);
+- system(@args);
++ system("xdg-open", $link);
+ if($?){
+ my $response = $self->{_dialogs}->dlg_error_message(
+ sprintf( $self->{_d}->get("Error while executing %s."),
"'xdg-open'"),
+@@ -67,8 +66,12 @@
+ }
+
+ sub xdg_open_mail {
+- my ( $self, $dialog, $mail, $user_data ) = @_;
+- system("xdg-email $mail $user_data");
++ my ( $self, $dialog, $mail, @user_data ) = @_;
++
++ my @cmd = 'xdg-email';
++ push @cmd, $mail if $mail;
++ system(@cmd, @user_data);
++
+ if($?){
+ my $response = $self->{_dialogs}->dlg_error_message(
+ sprintf( $self->{_d}->get("Error while executing %s."),
"'xdg-email'"),
+@@ -82,7 +85,7 @@
+
+ sub nautilus_sendto {
+ my ( $self, $user_data ) = @_;
+- system("nautilus-sendto $user_data &");
++ system('nautilus-sendto', $user_data);
+ if($?){
+ my $response = $self->{_dialogs}->dlg_error_message(
+ sprintf( $self->{_d}->get("Error while executing %s."),
"'nautilus-sendto'"),
+--- a/bin/shutter
++++ b/bin/shutter
+@@ -6967,12 +6967,9 @@
+ push( @files_to_email, $session_screens{$key}->{'uri'}->to_string
);
+ }
+
+- my $mail_string = undef;
+- foreach my $email_filename (@files_to_email) {
+- $mail_string .= "--attach '$email_filename' ";
+- }
++ my @mail_args = map { ( '--attach' => $_ ) } @files_to_email;
+
+- $shf->xdg_open_mail( undef, undef, $mail_string );
++ $shf->xdg_open_mail( undef, undef, @mail_args );
+
+ return TRUE;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 7a8d251..cc5108b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
CVE-2015-0854.patch
+CVE-2016-10081.patch
+fix-perl-system-calls
--- End Message ---
