Insecure use of system() allows arbitrary code execution via "Show in Folder"

Bug #1495163 reported by Luke Faraone on 2015-09-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shutter (Debian)
Fix Released
shutter (Ubuntu)

Bug Description

Using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter.

     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines 54-65 of share/shutter/resources/modules/Shutter/App/
        sub xdg_open {
                my ( $self, $dialog, $link, $user_data ) = @_;
                system("xdg-open $link");

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.


CVE-2015-0854 has been assigned for this issue by the Debian Security Team.

CVE References

Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) on 2015-09-13
information type: Private Security → Public Security
Luke Faraone (lfaraone) on 2015-09-13
Changed in shutter (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in shutter (Debian):
status: Unknown → Confirmed
tags: added: patch
Robin Lee (cheeselee) wrote :

Luke's patch is not 'strict'. '@args' should have a 'my' declaration.

Robin Lee (cheeselee) wrote :

Shutter has several places using string style 'system'. Is only this 'system' vulnerable?

Changed in shutter (Debian):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shutter - 0.93.1-1ubuntu1

shutter (0.93.1-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable (LP: #1564122). Remaining changes:
   - debian/control: Recommend libgtk2-appindicator-perl.

shutter (0.93.1-1) unstable; urgency=medium

  * Non-maintainer upload.
  * New upstream release.
  * Fix insecure use of system() (Closes: #798862, LP: #1495163).
  * debian/rules: Install WebService/

 -- Andrew Starr-Bochicchio <email address hidden> Sat, 02 Apr 2016 11:22:14 -0400

Changed in shutter (Ubuntu):
status: Triaged → Fix Released
Photon (michael-kogan) wrote :

Applied Debian's patch in rev.1282.

Changed in shutter:
status: New → Fix Committed
Photon (michael-kogan) on 2017-08-14
Changed in shutter:
milestone: none → 0.94
Photon (michael-kogan) on 2017-08-16
Changed in shutter:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.