Shutter

Insecure use of perl exec()

Bug #1652600 reported by prajith on 2016-12-26
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Shutter
New
Undecided
Unassigned
Debian
Fix Released
Unknown
openSUSE
Unknown
Medium
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

  $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
  $session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.

See original description

CVE References

prajith (prajithpalakkuda) on 2016-12-26
description: updated
prajith (prajithpalakkuda) wrote :

CVE-2016-10081 id has been assigned for tracking this vulnerability.

information type: Private Security → Public Security
In , Jsegitz-i (jsegitz-i) wrote :

CVE-2016-10081

/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.

Details in https://bugs.launchpad.net/shutter/+bug/1652600

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10081
https://bugs.launchpad.net/shutter/+bug/1652600

Bug Watch Updater (bug-watch-updater) on 2016-12-30
Changed in debian:
status: Unknown → Confirmed
In , Swamp-a (swamp-a) wrote :

bugbot adjusting priority

Bug Watch Updater (bug-watch-updater) on 2017-01-02
Changed in opensuse:
importance: Unknown → Medium
status: Unknown → Confirmed
Dominique Dumont (domi-dumont) wrote :

I've prepared a new package on Debian to fix this issue and secure other system() calls.

This will be uploaded soon to Debian unstable

All the best

Dominique Dumont (domi-dumont) wrote :

Here's the patch to secure remaining system() calls:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/fix-perl-system-calls

Dominique Dumont (domi-dumont) wrote :

I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/CVE-2016-10081.patch

You may also want to apply all Debian patches. They fix problems that are not specific to Debian:

https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches

HTH

Bug Watch Updater (bug-watch-updater) on 2017-01-07
Changed in debian:
status: Confirmed → Fix Released
In , Matthias Mailänder (mailaender) wrote :

https://build.opensuse.org/request/show/449244

Bug Watch Updater (bug-watch-updater) on 2017-01-10
Changed in opensuse:
status: Confirmed → Unknown
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.