Shutter

Insecure use of perl exec()

Bug #1652600 reported by prajith on 2016-12-26

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Shutter	Fix Released	Undecided	Unassigned	Shutter 0.94.1
Debian	Fix Released	Unknown	debbugs #849777
openSUSE	Fix Released	Medium	auto-bugzilla.suse.com #1017571

Bug Description

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

$session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
$session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.

See original description

CVE References

prajith (prajithpalakkuda) on 2016-12-26

description:

updated

Revision history for this message

prajith (prajithpalakkuda) wrote on 2016-12-29:

CVE-2016-10081 id has been assigned for tracking this vulnerability.

information type:

Private Security → Public Security

Revision history for this message

In bugzilla.suse.com/ #1017571, Jsegitz-i (jsegitz-i) wrote on 2016-12-30:

CVE-2016-10081

/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.

Details in https://bugs.launchpad.net/shutter/+bug/1652600

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10081
https://bugs.launchpad.net/shutter/+bug/1652600

Bug Watch Updater (bug-watch-updater) on 2016-12-30

Changed in debian:
status:	Unknown → Confirmed

Revision history for this message

In bugzilla.suse.com/ #1017571, Swamp-a (swamp-a) wrote on 2016-12-30:

bugbot adjusting priority

Bug Watch Updater (bug-watch-updater) on 2017-01-02

Changed in opensuse:
importance:	Unknown → Medium
status:	Unknown → Confirmed

Revision history for this message

Dominique Dumont (domi-dumont) wrote on 2017-01-06:

I've prepared a new package on Debian to fix this issue and secure other system() calls.

This will be uploaded soon to Debian unstable

All the best

Revision history for this message

Dominique Dumont (domi-dumont) wrote on 2017-01-06:

Here's the patch to secure remaining system() calls:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/fix-perl-system-calls

Revision history for this message

Dominique Dumont (domi-dumont) wrote on 2017-01-07:

I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/CVE-2016-10081.patch

You may also want to apply all Debian patches. They fix problems that are not specific to Debian:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches

HTH

Bug Watch Updater (bug-watch-updater) on 2017-01-07

Changed in debian:
status:	Confirmed → Fix Released

Revision history for this message

In bugzilla.suse.com/ #1017571, Matthias Mailänder (mailaender) wrote on 2017-01-08:

https://build.opensuse.org/request/show/449244

Bug Watch Updater (bug-watch-updater) on 2017-01-10

Changed in opensuse:
status:	Confirmed → Unknown

Revision history for this message

In bugzilla.suse.com/ #1017571, Matthias Mailänder (mailaender) wrote on 2017-08-05:

https://build.opensuse.org/request/show/449568

Bug Watch Updater (bug-watch-updater) on 2017-08-07

Changed in opensuse:
status:	Unknown → Fix Released

Revision history for this message

In bugzilla.suse.com/ #1017571, Andreas Stieger (andreasstieger) wrote on 2017-08-11:

42.2 was missing

Revision history for this message

In bugzilla.suse.com/ #1017571, Bwiedemann (bwiedemann) wrote on 2017-08-11:

#10

This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in
https://build.opensuse.org/request/show/516218 42.2+42.3 / shutter

Bug Watch Updater (bug-watch-updater) on 2017-08-12

Changed in opensuse:
status:	Fix Released → Unknown

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2017-08-12:

#11

Applied Debian's patch in rev.1282.

Changed in shutter:
status:	New → Fix Committed

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2017-08-12:

#12

Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.

Changed in shutter:
status:	Fix Committed → Confirmed

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2017-08-12:

#13

Applied all Debian patches besides of "fix-perl-system-calls" so far, looks like I am too stupid to use patch properly.

Changed in shutter:
status:	Confirmed → In Progress

Revision history for this message

In bugzilla.suse.com/ #1017571, Andreas Stieger (andreasstieger) wrote on 2017-08-17:

#14

done

Revision history for this message

In bugzilla.suse.com/ #1017571, Swamp-a (swamp-a) wrote on 2017-08-18:

#15

openSUSE-SU-2017:2207-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017571
CVE References: CVE-2016-10081
Sources used:
openSUSE Leap 42.3 (src): shutter-0.93.1-5.1
openSUSE Leap 42.2 (src): shutter-0.93.1-2.3.1

Bug Watch Updater (bug-watch-updater) on 2017-08-18

Changed in opensuse:
status:	Unknown → Fix Released

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2018-09-09:

#16

Applied the remaining patch from https://salsa.debian.org/perl-team/modules/packages/shutter/blob/master/debian/patches/fix-perl-system-calls by hand in rev. 1298.

Changed in shutter:
status:	In Progress → Fix Committed

Michael Kogan (michael-kogan) on 2018-09-09

Changed in shutter:
milestone:	none → 0.94.1

Michael Kogan (michael-kogan) on 2018-09-09

Changed in shutter:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #849777
[done grave security upstream pending] Edit
auto-bugzilla.suse.com #1017571
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.