Insecure use of perl exec()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Shutter |
Undecided
|
Unassigned | ||
| Debian |
Fix Released
|
Unknown
|
||
| openSUSE |
Fix Released
|
Medium
|
Bug Description
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572:
$session_
$session_
if the file doesn't any have extension, $session_
In line 7163:/usr/
exec( sprintf( "$^X $plugin_value %d $qfilename $session_
by passing unescaped shell characters "$session_
CVE References
description: | updated |
|
#2 |
CVE-2016-10081
/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.
Details in https:/
References:
http://
https:/
Changed in debian: | |
status: | Unknown → Confirmed |
Changed in opensuse: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Dominique Dumont (domi-dumont) wrote : | #4 |
I've prepared a new package on Debian to fix this issue and secure other system() calls.
This will be uploaded soon to Debian unstable
All the best
Dominique Dumont (domi-dumont) wrote : | #5 |
Here's the patch to secure remaining system() calls:
https:/
Dominique Dumont (domi-dumont) wrote : | #6 |
I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.
https:/
You may also want to apply all Debian patches. They fix problems that are not specific to Debian:
https:/
HTH
Changed in debian: | |
status: | Confirmed → Fix Released |
Changed in opensuse: | |
status: | Confirmed → Unknown |
Changed in opensuse: | |
status: | Unknown → Fix Released |
|
#10 |
This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in
https:/
Changed in opensuse: | |
status: | Fix Released → Unknown |
Michael Kogan (michael-kogan) wrote : | #11 |
Applied Debian's patch in rev.1282.
Changed in shutter: | |
status: | New → Fix Committed |
Michael Kogan (michael-kogan) wrote : | #12 |
Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.
Changed in shutter: | |
status: | Fix Committed → Confirmed |
Michael Kogan (michael-kogan) wrote : | #13 |
Applied all Debian patches besides of "fix-perl-
Changed in shutter: | |
status: | Confirmed → In Progress |
|
#15 |
openSUSE-
Category: security (moderate)
Bug References: 1017571
CVE References: CVE-2016-10081
Sources used:
openSUSE Leap 42.3 (src): shutter-0.93.1-5.1
openSUSE Leap 42.2 (src): shutter-
Changed in opensuse: | |
status: | Unknown → Fix Released |
Michael Kogan (michael-kogan) wrote : | #16 |
Applied the remaining patch from https:/
Changed in shutter: | |
status: | In Progress → Fix Committed |
Changed in shutter: | |
milestone: | none → 0.94.1 |
Changed in shutter: | |
status: | Fix Committed → Fix Released |
CVE-2016-10081 id has been assigned for tracking this vulnerability.