Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

Christoph Biedl Tue, 20 Dec 2016 10:15:49 -0800

Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu


Hello release team,

CVE-2015-0854[1] hasn't been handled in jessie yet. The security team
ACKed to use an upcoming point release for this. The shutter maintainer
Ryan Niebur is in Cc:.

Find attached a debdiff based on the fixed stretch version 0.93.1-1,
the original patch triggered a Perl error.

Testing confirmed the described exploit no longer works then.

Regards,

    Christoph

[1] https://security-tracker.debian.org/tracker/CVE-2015-0854

diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog
--- shutter-0.92/debian/changelog       2014-08-10 17:51:22.000000000 +0200
+++ shutter-0.92/debian/changelog       2016-12-20 19:00:20.000000000 +0100
@@ -1,3 +1,9 @@
+shutter (0.92-0.1+deb8u1) jessie; urgency=high
+
+  * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
+
+ -- Christoph Biedl <[email protected]>  Tue, 20 Dec 2016 
19:00:20 +0100
+
 shutter (0.92-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch 
shutter-0.92/debian/patches/CVE-2015-0854.patch
--- shutter-0.92/debian/patches/CVE-2015-0854.patch     1970-01-01 
01:00:00.000000000 +0100
+++ shutter-0.92/debian/patches/CVE-2015-0854.patch     2016-12-20 
18:59:57.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix insecure use of system()
+Author: Luke Faraone <[email protected]>
+ID: CVE-2015-0854
+Bug: https://bugs.launchpad.net/shutter/+bug/1495163
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
+
+--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+@@ -53,7 +53,8 @@
+ 
+ sub xdg_open {
+       my ( $self, $dialog, $link, $user_data ) = @_;
+-      system("xdg-open $link");
++      my @args = ("xdg-open", $link);
++      system(@args);
+       if($?){
+               my $response = $self->{_dialogs}->dlg_error_message( 
+                       sprintf( $self->{_d}->get("Error while executing %s."), 
"'xdg-open'"),
diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series
--- shutter-0.92/debian/patches/series  1970-01-01 01:00:00.000000000 +0100
+++ shutter-0.92/debian/patches/series  2016-12-20 18:40:00.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-0854.patch

signature.asc
Description: Digital signature

Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

Reply via email to