Shutter

Insecure use of perl exec()

Bug #1652600 reported by prajith on 2016-12-26
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Shutter
Fix Released
Undecided
Unassigned
Shutter 0.94.1
Debian
Fix Released
Unknown
openSUSE
Fix Released
Medium
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

  $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
  $session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.

See original description

CVE References

prajith (prajithpalakkuda) on 2016-12-26
description: updated
prajith (prajithpalakkuda) wrote :

CVE-2016-10081 id has been assigned for tracking this vulnerability.

information type: Private Security → Public Security
In , Jsegitz-i (jsegitz-i) wrote :

CVE-2016-10081

/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.

Details in https://bugs.launchpad.net/shutter/+bug/1652600

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10081
https://bugs.launchpad.net/shutter/+bug/1652600

Bug Watch Updater (bug-watch-updater) on 2016-12-30
Changed in debian:
status: Unknown → Confirmed
In , Swamp-a (swamp-a) wrote :

bugbot adjusting priority

Bug Watch Updater (bug-watch-updater) on 2017-01-02
Changed in opensuse:
importance: Unknown → Medium
status: Unknown → Confirmed
Dominique Dumont (domi-dumont) wrote :

I've prepared a new package on Debian to fix this issue and secure other system() calls.

This will be uploaded soon to Debian unstable

All the best

Dominique Dumont (domi-dumont) wrote :

Here's the patch to secure remaining system() calls:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/fix-perl-system-calls

Dominique Dumont (domi-dumont) wrote :

I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/CVE-2016-10081.patch

You may also want to apply all Debian patches. They fix problems that are not specific to Debian:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches

HTH

Bug Watch Updater (bug-watch-updater) on 2017-01-07
Changed in debian:
status: Confirmed → Fix Released
In , Matthias Mailänder (mailaender) wrote :

https://build.opensuse.org/request/show/449244

Bug Watch Updater (bug-watch-updater) on 2017-01-10
Changed in opensuse:
status: Confirmed → Unknown
In , Matthias Mailänder (mailaender) wrote :

https://build.opensuse.org/request/show/449568

Bug Watch Updater (bug-watch-updater) on 2017-08-07
Changed in opensuse:
status: Unknown → Fix Released
In , Andreas Stieger (andreasstieger) wrote :

42.2 was missing

In , Bwiedemann (bwiedemann) wrote :

This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in
https://build.opensuse.org/request/show/516218 42.2+42.3 / shutter

Bug Watch Updater (bug-watch-updater) on 2017-08-12
Changed in opensuse:
status: Fix Released → Unknown
Photon (michael-kogan) wrote :

Applied Debian's patch in rev.1282.

Changed in shutter:
status: New → Fix Committed
Photon (michael-kogan) wrote :

Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.

Changed in shutter:
status: Fix Committed → Confirmed
Photon (michael-kogan) wrote :

Applied all Debian patches besides of "fix-perl-system-calls" so far, looks like I am too stupid to use patch properly.

Changed in shutter:
status: Confirmed → In Progress
In , Andreas Stieger (andreasstieger) wrote :

done

In , Swamp-a (swamp-a) wrote :

openSUSE-SU-2017:2207-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017571
CVE References: CVE-2016-10081
Sources used:
openSUSE Leap 42.3 (src): shutter-0.93.1-5.1
openSUSE Leap 42.2 (src): shutter-0.93.1-2.3.1

Bug Watch Updater (bug-watch-updater) on 2017-08-18
Changed in opensuse:
status: Unknown → Fix Released
Photon (michael-kogan) wrote :

Applied the remaining patch from https://salsa.debian.org/perl-team/modules/packages/shutter/blob/master/debian/patches/fix-perl-system-calls by hand in rev. 1298.

Changed in shutter:
status: In Progress → Fix Committed
Photon (michael-kogan) on 2018-09-09
Changed in shutter:
milestone: none → 0.94.1
Photon (michael-kogan) on 2018-09-09
Changed in shutter:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.