Insecure use of perl exec()

Bug #1652600 reported by prajith
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Shutter
Fix Released
Undecided
Unassigned
Debian
Fix Released
Unknown
openSUSE
Fix Released
Medium

Bug Description

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

  $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
  $session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.

CVE References

description: updated
Revision history for this message
prajith (prajithpalakkuda) wrote :

CVE-2016-10081 id has been assigned for tracking this vulnerability.

information type: Private Security → Public Security
Revision history for this message
In , Jsegitz-i (jsegitz-i) wrote :

CVE-2016-10081

/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.

Details in https://bugs.launchpad.net/shutter/+bug/1652600

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10081
https://bugs.launchpad.net/shutter/+bug/1652600

Changed in debian:
status: Unknown → Confirmed
Revision history for this message
In , Swamp-a (swamp-a) wrote :

bugbot adjusting priority

Changed in opensuse:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
Dominique Dumont (domi-dumont) wrote :

I've prepared a new package on Debian to fix this issue and secure other system() calls.

This will be uploaded soon to Debian unstable

All the best

Revision history for this message
Dominique Dumont (domi-dumont) wrote :
Revision history for this message
Dominique Dumont (domi-dumont) wrote :

I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/CVE-2016-10081.patch

You may also want to apply all Debian patches. They fix problems that are not specific to Debian:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches

HTH

Changed in debian:
status: Confirmed → Fix Released
Revision history for this message
In , Matthias Mailänder (mailaender) wrote :
Changed in opensuse:
status: Confirmed → Unknown
Revision history for this message
In , Matthias Mailänder (mailaender) wrote :
Changed in opensuse:
status: Unknown → Fix Released
Revision history for this message
In , Andreas Stieger (andreasstieger) wrote :

42.2 was missing

Revision history for this message
In , Bwiedemann (bwiedemann) wrote :

This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in
https://build.opensuse.org/request/show/516218 42.2+42.3 / shutter

Changed in opensuse:
status: Fix Released → Unknown
Revision history for this message
Michael Kogan (michael-kogan) wrote :

Applied Debian's patch in rev.1282.

Changed in shutter:
status: New → Fix Committed
Revision history for this message
Michael Kogan (michael-kogan) wrote :

Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.

Changed in shutter:
status: Fix Committed → Confirmed
Revision history for this message
Michael Kogan (michael-kogan) wrote :

Applied all Debian patches besides of "fix-perl-system-calls" so far, looks like I am too stupid to use patch properly.

Changed in shutter:
status: Confirmed → In Progress
Revision history for this message
In , Andreas Stieger (andreasstieger) wrote :

done

Revision history for this message
In , Swamp-a (swamp-a) wrote :

openSUSE-SU-2017:2207-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017571
CVE References: CVE-2016-10081
Sources used:
openSUSE Leap 42.3 (src): shutter-0.93.1-5.1
openSUSE Leap 42.2 (src): shutter-0.93.1-2.3.1

Changed in opensuse:
status: Unknown → Fix Released
Revision history for this message
Michael Kogan (michael-kogan) wrote :
Changed in shutter:
status: In Progress → Fix Committed
Changed in shutter:
milestone: none → 0.94.1
Changed in shutter:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.