Comment 0 for bug 1652600

This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.

In line 7571-7572:/usr/bin/shutter

  $session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
  $session_screens{$key}->{'filetype'} =~ s/.*\.//ig;

if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".

In line 7163:/usr/bin/shutter

exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );

by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly get executed as current running user.