Shutter

  1. Bug #1652600
  2. Activity log

Activity log for bug #1652600

Date Who What changed Old value New value Message
2016-12-26 09:35:08 prajith bug added bug
2016-12-26 10:02:54 prajith description This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE: 1) Rename an image to something like "$(firefox)" 2) Open the renamed file in shutter 3) Click the "Run a plugin" option and select any plugin from the list and click "Run" You should see firefox browser opened as separate process. In line 7571-7572:/usr/bin/shutter $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'}; $session_screens{$key}->{'filetype'} =~ s/.*\.//ig; if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef". In line 7163:/usr/bin/shutter exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly get executed as current running user. This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE:    1) Rename an image to something like "$(firefox)"    2) Open the renamed file in shutter    3) Click the "Run a plugin" option and select any plugin from the list and click "Run"    You should see firefox browser opened as separate process. In line 7571-7572:/usr/bin/shutter   $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};   $session_screens{$key}->{'filetype'} =~ s/.*\.//ig; if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef". In line 7163:/usr/bin/shutter exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user.
2016-12-29 08:44:33 prajith cve linked 2016-10081
2016-12-29 08:47:34 prajith information type Private Security Public Security
2016-12-30 21:41:18 Salvatore Bonaccorso bug watch added http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849777
2016-12-30 21:41:18 Salvatore Bonaccorso bug task added debian
2016-12-30 22:33:42 Bug Watch Updater debian: status Unknown Confirmed
2016-12-31 07:09:18 Matthias Mailänder bug watch added https://bugzilla.suse.com/show_bug.cgi?id=1017571
2016-12-31 07:09:18 Matthias Mailänder bug task added opensuse
2017-01-02 02:06:06 Bug Watch Updater opensuse: status Unknown Confirmed
2017-01-02 02:06:06 Bug Watch Updater opensuse: importance Unknown Medium
2017-01-07 10:44:51 Bug Watch Updater debian: status Confirmed Fix Released
2017-01-10 23:22:46 Bug Watch Updater opensuse: status Confirmed Unknown
2017-08-07 18:12:17 Bug Watch Updater opensuse: status Unknown Fix Released
2017-08-12 09:31:45 Bug Watch Updater opensuse: status Fix Released Unknown
2017-08-12 13:57:22 Michael Kogan shutter: status New Fix Committed
2017-08-12 16:04:29 Michael Kogan shutter: status Fix Committed Confirmed
2017-08-12 16:05:36 Michael Kogan cve linked 2015-0854
2017-08-12 16:38:37 Michael Kogan shutter: status Confirmed In Progress
2017-08-18 04:51:43 Bug Watch Updater opensuse: status Unknown Fix Released
2018-09-09 14:02:23 Michael Kogan shutter: status In Progress Fix Committed
2018-09-09 16:56:05 Michael Kogan shutter: milestone 0.94.1
2018-09-09 17:07:38 Michael Kogan shutter: status Fix Committed Fix Released