Insecure use of perl exec()
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Shutter |
Fix Released
|
Undecided
|
Unassigned | ||
| Debian |
Fix Released
|
Unknown
|
|||
| openSUSE |
Fix Released
|
Medium
|
|||
Bug Description
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572:
$session_
$session_
if the file doesn't any have extension, $session_
In line 7163:/usr/
exec( sprintf( "$^X $plugin_value %d $qfilename $session_
by passing unescaped shell characters "$session_
CVE References
| description: | updated |
| Changed in debian: | |
| status: | Unknown → Confirmed |
| Changed in opensuse: | |
| importance: | Unknown → Medium |
| status: | Unknown → Confirmed |
| Changed in debian: | |
| status: | Confirmed → Fix Released |
| Changed in opensuse: | |
| status: | Confirmed → Unknown |
| Changed in opensuse: | |
| status: | Unknown → Fix Released |
| Changed in opensuse: | |
| status: | Fix Released → Unknown |
| Changed in opensuse: | |
| status: | Unknown → Fix Released |
| Changed in shutter: | |
| milestone: | none → 0.94.1 |
| Changed in shutter: | |
| status: | Fix Committed → Fix Released |

CVE-2016-10081 id has been assigned for tracking this vulnerability.