This is an automated email from the git hooks/post-receive script. czchen pushed a commit to branch master in repository shutter.
commit 1764e72731c305f2577b3b7bd4f98c3b609ebb24 Author: Dominique Dumont <d...@debian.org> Date: Fri Jan 6 21:06:41 2017 +0100 add patch to secure system() calls --- debian/patches/fix-perl-system-calls | 268 +++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 269 insertions(+) diff --git a/debian/patches/fix-perl-system-calls b/debian/patches/fix-perl-system-calls new file mode 100644 index 0000000..8443952 --- /dev/null +++ b/debian/patches/fix-perl-system-calls @@ -0,0 +1,268 @@ +Author: dod +Description: Fix perl system calls + This patch replaces all system("big string") calls to + system(@big_list) in all plugins to avoid problems similar to CVS-2016-10081. +--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid ++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid +@@ -349,9 +349,6 @@ + + sub apply_effect { + +- #quote filename +- my $qfilename = quotemeta $filename; +- + if ( $use_caption ) { + + my $text = $caption_entry->get_text; +@@ -360,27 +357,32 @@ + $text = quotemeta $text; + + my $color = $stroke_color->get_color; +- +- system( "convert -caption " +- . $text +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' $qfilename -pointsize " +- . $pointsize_sbutton->get_value +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -bordercolor snow " +- . " -background black " +- . " -polaroid " +- . $angle_sbutton->get_value +- . " $tmpfilename" ); +- ++ ++ system( ++ convert => ++ -caption => $text, ++ -fill => sprintf( "#%04x%04x%04x%04x", ++ $color->red, ++ $color->green, ++ $color->blue, ++ $stroke_color->get_alpha ++ ), ++ $filename, ++ -pointsize => $pointsize_sbutton->get_value, ++ -gravity => $gravity_combo->get_active_text, ++ qw/-bordercolor snow -background black/, ++ -polaroid => $angle_sbutton->get_value, ++ $tmpfilename ++ ); + } else { +- +- system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate " +- . $angle_sbutton->get_value +- . " -background black \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" ); +- ++ system( ++ convert => $filename, ++ qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/, ++ -rotate => $angle_sbutton->get_value, ++ -background => 'black', ++ qw/( +clone -shadow 60x4+4+4 ) +swap -background none/, ++ -flatten => $tmpfilename ++ ); + } + + } +--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark ++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark +@@ -342,33 +342,27 @@ + $text = strftime $text, localtime; + $text = quotemeta $text; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + my $psize = $pointsize_sbutton->get_value; + + my $color = $stroke_color->get_color; + +- #execute imagemagick command +- system( "convert " +- . "-background '#00000000'" +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' -pointsize " +- . $psize +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -rotate " +- . $angle_sbutton->get_value +- . " label:" +- . $text +- . " $tmpfilename" ); +- +- system("composite $tmpfilename" +- . " -gravity " +- . $gravity_combo->get_active_text +- . " $qfilename" +- . " $tmpfilename2" ); ++ #execute imagemagick command ++ system( ++ convert => ++ -background => '#00000000', ++ -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ), ++ -pointsize => $psize, ++ -gravity => $gravity_combo->get_active_text, ++ -rotate => $angle_sbutton->get_value, ++ "label:$text", ++ $tmpfilename ++ ); ++ ++ system( ++ composite => $tmpfilename, ++ -gravity => $gravity_combo->get_active_text, ++ $filename => $tmpfilename2 ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow ++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow +@@ -368,24 +368,22 @@ + $direction2 = "80x3-1-1"; + } + +- #quote filename +- my $qfilename = quotemeta $filename; +- +- #execute imagemagick command +- system( "convert" +- . " $qfilename" +- . " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction2 +- . " \\) +swap -background none -mosaic +repage" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction1 +- . " \\) +swap -background none -mosaic +repage" +- . " $tmpfilename" ); ++ #execute imagemagick command ++ system( ++ convert => $filename, ++ -gravity => 'northwest', ++ -background => 'rgba(255,255,255,0)', ++ -splice => '10x10', ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction2, ++ qw/) +swap -background none -mosaic +repage/, ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction1, ++ qw/) +swap -background none -mosaic +repage/, ++ $tmpfilename ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion ++++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion +@@ -386,24 +386,13 @@ + + my $color = $back_color->get_color; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + #execute imagemagick command +- system( "convert" +- . " -virtual-pixel Background -background '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ) +- . "' -distort Barrel '" +- . $c1_sbutton->get_value +- . " " +- . $c2_sbutton->get_value +- . " " +- . $c3_sbutton->get_value +- . " " +- . $c4_sbutton->get_value +- . "' $qfilename" +- . " $tmpfilename" ); +- ++ system ( ++ qw/convert -virtual-pixel Background/, ++ -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ), ++ -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value), ++ $filename, $tmpfilename ++ ); + } + + sub fct_update_gui { +--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm ++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm +@@ -69,7 +69,13 @@ + $self->{_url} = "http://".$self->{_url}; + } + +- system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'"); ++ system( ++ 'gnome-web-photo', ++ '--timeout='.$self->{_timeout}, ++ '--mode=photo', ++ '--width='.$self->{_width}, ++ $self->{_url}, $self->{_dest_filename} ++ ); + + return TRUE; + } +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,8 +53,7 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- my @args = ("xdg-open", $link); +- system(@args); ++ system("xdg-open", $link); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), +@@ -67,8 +66,12 @@ + } + + sub xdg_open_mail { +- my ( $self, $dialog, $mail, $user_data ) = @_; +- system("xdg-email $mail $user_data"); ++ my ( $self, $dialog, $mail, @user_data ) = @_; ++ ++ my @cmd = 'xdg-email'; ++ push @cmd, $mail if $mail; ++ system(@cmd, @user_data); ++ + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"), +@@ -82,7 +85,7 @@ + + sub nautilus_sendto { + my ( $self, $user_data ) = @_; +- system("nautilus-sendto $user_data &"); ++ system('nautilus-sendto', $user_data); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"), +--- a/bin/shutter ++++ b/bin/shutter +@@ -6972,12 +6972,9 @@ + push( @files_to_email, $session_screens{$key}->{'long'} ); + } + +- my $mail_string = undef; +- foreach my $email_filename (@files_to_email) { +- $mail_string .= "--attach '$email_filename' "; +- } ++ my @mail_args = map { ( '--attach' => $_ ) } @files_to_email; + +- $shf->xdg_open_mail( undef, undef, $mail_string ); ++ $shf->xdg_open_mail( undef, undef, @mail_args ); + + return TRUE; + } diff --git a/debian/patches/series b/debian/patches/series index c699cd6..f49a897 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ insecure_use_of_system.patch 0002-Force-utf8-for-retrieved-window-name-from-Gtk2.patch 0003-Fix-error-on-executing-xdg-email.patch CVE-2016-10081.patch +fix-perl-system-calls -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/shutter.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits