This is an automated email from the git hooks/post-receive script.
czchen pushed a commit to branch master
in repository shutter.
commit fb12f0fa979002ad8a3616d082332c7b25d20218
Author: Dominique Dumont <d...@debian.org>
Date: Fri Jan 6 21:06:08 2017 +0100
add patch to fix CVE-2016-10081 (Closes: #849777)
---
debian/patches/CVE-2016-10081.patch | 42 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 43 insertions(+)
diff --git a/debian/patches/CVE-2016-10081.patch
b/debian/patches/CVE-2016-10081.patch
new file mode 100644
index 0000000..5fef9a2
--- /dev/null
+++ b/debian/patches/CVE-2016-10081.patch
@@ -0,0 +1,42 @@
+Bug: https://bugs.launchpad.net/shutter/+bug/1652600
+Bug-Debian: https://bugs.debian.org/849777
+Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
+Description: fix insecure use of perl exec()
+ The patch attached uses the multi-argument invocation and also changes
+ it in the code path for non-Perl plugins.
+--- a/bin/shutter
++++ b/bin/shutter
+@@ -7164,8 +7164,13 @@
+ elsif ( $pid == 0 ) {
+
+ #see Bug #661424
+- my $qfilename = quotemeta $session_screens{$key}->{'long'};
+- exec( sprintf( "$^X $plugin_value %d $qfilename
$session_screens{$key}->{'width'} $session_screens{$key}->{'height'}
$session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
++ #my $qfilename = quotemeta $session_screens{$key}->{'long'};
++ exec( $^X, $plugin_value,
++ $socket->get_id,
++ $session_screens{$key}->{'long'},
++ $session_screens{$key}->{'width'},
++ $session_screens{$key}->{'height'},
++ $session_screens{$key}->{'filetype'} );
+ }
+
+ $sdialog->show_all;
+@@ -7198,11 +7203,15 @@
+ my $plugin_process = Proc::Simple->new;
+
+ #see Bug #661424
+- my $qfilename = quotemeta $session_screens{$key}->{'long'};
++ #my $qfilename = quotemeta $session_screens{$key}->{'long'};
+
+ $plugin_process->start(
+ sub {
+- system("'$plugin_value' $qfilename
'$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}'
'$session_screens{$key}->{'filetype'}' ");
++ system( $plugin_value,
++ $session_screens{$key}->{'long'},
++ $session_screens{$key}->{'width'},
++ $session_screens{$key}->{'height'},
++ $session_screens{$key}->{'filetype'} );
+ POSIX::_exit(0);
+ }
+ );
diff --git a/debian/patches/series b/debian/patches/series
index b7042f2..c699cd6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
insecure_use_of_system.patch
0002-Force-utf8-for-retrieved-window-name-from-Gtk2.patch
0003-Fix-error-on-executing-xdg-email.patch
+CVE-2016-10081.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/shutter.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
