This is an automated email from the git hooks/post-receive script. czchen pushed a commit to branch master in repository shutter.
commit fb12f0fa979002ad8a3616d082332c7b25d20218 Author: Dominique Dumont <d...@debian.org> Date: Fri Jan 6 21:06:08 2017 +0100 add patch to fix CVE-2016-10081 (Closes: #849777) --- debian/patches/CVE-2016-10081.patch | 42 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 43 insertions(+) diff --git a/debian/patches/CVE-2016-10081.patch b/debian/patches/CVE-2016-10081.patch new file mode 100644 index 0000000..5fef9a2 --- /dev/null +++ b/debian/patches/CVE-2016-10081.patch @@ -0,0 +1,42 @@ +Bug: https://bugs.launchpad.net/shutter/+bug/1652600 +Bug-Debian: https://bugs.debian.org/849777 +Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de> +Description: fix insecure use of perl exec() + The patch attached uses the multi-argument invocation and also changes + it in the code path for non-Perl plugins. +--- a/bin/shutter ++++ b/bin/shutter +@@ -7164,8 +7164,13 @@ + elsif ( $pid == 0 ) { + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; +- exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ exec( $^X, $plugin_value, ++ $socket->get_id, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + } + + $sdialog->show_all; +@@ -7198,11 +7203,15 @@ + my $plugin_process = Proc::Simple->new; + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; + + $plugin_process->start( + sub { +- system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' "); ++ system( $plugin_value, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + POSIX::_exit(0); + } + ); diff --git a/debian/patches/series b/debian/patches/series index b7042f2..c699cd6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ insecure_use_of_system.patch 0002-Force-utf8-for-retrieved-window-name-from-Gtk2.patch 0003-Fix-error-on-executing-xdg-email.patch +CVE-2016-10081.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/shutter.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits