This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572: /usr/bin/ shutter
$session_ screens{ $key}-> {'filetype' } = $session_ screens{ $key}-> {'short' }; screens{ $key}-> {'filetype' } =~ s/.*\.//ig;
$session_
if the file doesn't any have extension, $session_ screens{ $key}-> {'filetype' } simply returns the actual filename instead of "undef".
In line 7163:/usr/ bin/shutter
exec( sprintf( "$^X $plugin_value %d $qfilename $session_ screens{ $key}-> {'width' } $session_ screens{ $key}-> {'height' } $session_ screens{ $key}-> {'filetype' }\n", $socket->get_id ) );
by passing unescaped shell characters "$session_ screens{ $key}-> {'filetype' }" to exec function, it directly get executed as current running user.