Insecure use of perl exec()
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Shutter |
Undecided
|
Unassigned | ||
| | Debian |
Fix Released
|
Unknown
|
||
| | openSUSE |
Unknown
|
Medium
|
||
Bug Description
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572:
$session_
$session_
if the file doesn't any have extension, $session_
In line 7163:/usr/
exec( sprintf( "$^X $plugin_value %d $qfilename $session_
by passing unescaped shell characters "$session_
CVE References
| description: | updated |
|
|
#2 |
CVE-2016-10081
/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.
Details in https:/
References:
http://
https:/
| Changed in debian: | |
| status: | Unknown → Confirmed |
| Changed in opensuse: | |
| importance: | Unknown → Medium |
| status: | Unknown → Confirmed |
| Dominique Dumont (domi-dumont) wrote : | #4 |
I've prepared a new package on Debian to fix this issue and secure other system() calls.
This will be uploaded soon to Debian unstable
All the best
| Dominique Dumont (domi-dumont) wrote : | #5 |
Here's the patch to secure remaining system() calls:
https:/
| Dominique Dumont (domi-dumont) wrote : | #6 |
I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.
https:/
You may also want to apply all Debian patches. They fix problems that are not specific to Debian:
https:/
HTH
| Changed in debian: | |
| status: | Confirmed → Fix Released |
| Changed in opensuse: | |
| status: | Confirmed → Unknown |
| Changed in opensuse: | |
| status: | Unknown → Fix Released |
|
|
#10 |
This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in
https:/
| Changed in opensuse: | |
| status: | Fix Released → Unknown |
| Photon (michael-kogan) wrote : | #11 |
Applied Debian's patch in rev.1282.
| Changed in shutter: | |
| status: | New → Fix Committed |
| Photon (michael-kogan) wrote : | #12 |
Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.
| Changed in shutter: | |
| status: | Fix Committed → Confirmed |
| Photon (michael-kogan) wrote : | #13 |
Applied all Debian patches besides of "fix-perl-
| Changed in shutter: | |
| status: | Confirmed → In Progress |
CVE-2016-10081 id has been assigned for tracking this vulnerability.