Insecure use of perl exec()

Bug #1652600 reported by prajith on 2016-12-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Fix Released

Bug Description

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

  $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
  $session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.

CVE References

description: updated
prajith (prajithpalakkuda) wrote :

CVE-2016-10081 id has been assigned for tracking this vulnerability.

information type: Private Security → Public Security


/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers
to execute arbitrary commands via a crafted image name that is mishandled during
a "Run a plugin" action.

Details in


Changed in debian:
status: Unknown → Confirmed

bugbot adjusting priority

Changed in opensuse:
importance: Unknown → Medium
status: Unknown → Confirmed
Dominique Dumont (domi-dumont) wrote :

I've prepared a new package on Debian to fix this issue and secure other system() calls.

This will be uploaded soon to Debian unstable

All the best

Dominique Dumont (domi-dumont) wrote :

I forgot to mention the patch to CVE-2016-10081 which must be applied before the patch mentioned above.

You may also want to apply all Debian patches. They fix problems that are not specific to Debian:


Changed in debian:
status: Confirmed → Fix Released
Changed in opensuse:
status: Confirmed → Unknown
Changed in opensuse:
status: Unknown → Fix Released

42.2 was missing

This is an autogenerated message for OBS integration:
This bug (1017571) was mentioned in 42.2+42.3 / shutter

Changed in opensuse:
status: Fix Released → Unknown
Michael Kogan (michael-kogan) wrote :

Applied Debian's patch in rev.1282.

Changed in shutter:
status: New → Fix Committed
Michael Kogan (michael-kogan) wrote :

Sorry, mistook this for CVE-2015-0854 (which is mentioned in the first line). Will now apply the patches fixing CVE-2016-10081.

Changed in shutter:
status: Fix Committed → Confirmed
Michael Kogan (michael-kogan) wrote :

Applied all Debian patches besides of "fix-perl-system-calls" so far, looks like I am too stupid to use patch properly.

Changed in shutter:
status: Confirmed → In Progress

openSUSE-SU-2017:2207-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017571
CVE References: CVE-2016-10081
Sources used:
openSUSE Leap 42.3 (src): shutter-0.93.1-5.1
openSUSE Leap 42.2 (src): shutter-0.93.1-2.3.1

Changed in opensuse:
status: Unknown → Fix Released
Michael Kogan (michael-kogan) wrote :
Changed in shutter:
status: In Progress → Fix Committed
Changed in shutter:
milestone: none → 0.94.1
Changed in shutter:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.