From ${URL} : In the "Shutter" screenshot application, I discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE: 1. Put an image in a folder called "$(xeyes)" 2. Open the image in Shutter 3. Right-click the image and click "Show in Folder" The `xeyes` program (if installed on your system) should start. Lines 54+ of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm: sub xdg_open { my ( $self, $dialog, $link, $user_data ) = @_; system("xdg-open $link"); } Because `system` is used, the string is scanned for shell metacharacters[1], and if found the string is executed using a shell. [1]: http://perldoc.perl.org/functions/system.html CVE-2015-0854 has been assigned for this issue. This bug has existed since (at least) 0.85.1, and although a patch is available a fixed version has not been released. Upstream bug: https://bugs.launchpad.net/shutter/+bug/1495163 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CCing treecleaners
This bug was fixed a while ago (available since 0.93.1 which we have in portage tree already): https://bugs.launchpad.net/shutter/+bug/1495163/comments/4 I believe we should change mask to be instead of removing package completely: <=x11-misc/shutter-0.93.1
OK, only that version left in the tree and unmasked (this package is back to testing then... in that case, I am not sure if maintainer will want to stabilize it in the normal way or... from security team point of view this should be solved then)
(In reply to Pacho Ramos from comment #3) > OK, only that version left in the tree and unmasked (this package is back to > testing then... in that case, I am not sure if maintainer will want to > stabilize it in the normal way or... from security team point of view this > should be solved then) Feeling myself a bit stupid and fooled. Tried described in this issue steps and they lead to running `xeyes` proving that 0.93.1 is actually affected by this vulnerability. Then re-read post I have linked before. It's not upstream fix - they simply released 0.93.1-1 with the patch, as seems like package is not maintained anymore. Really sorry, but seems like we either need to apply that patch as well or mask it indeed.
Created attachment 444144 [details, diff] Patch that fixes this issue
Updating summary to reflect that we don't have a fixed package in tree according to comment #4.
Lets do it commit baed4e086c9d53601f7de98d165df1841c1f92dd Author: Markos Chandras <hwoarang@gentoo.org> Date: Sat Dec 10 20:13:46 2016 +0000 x11-misc/shutter: Revision bump Revision bump to include Debian patch to fix #560426 Thanks to Alexey Zapparov <ixti@member.fsf.org> Gentoo-Bug: 560426 Package-Manager: portage-2.3.3
@ Maintainer(s): Thank you Alexey for the patch and Markos for the bump. Only thing left is the removal of previous, vulnerable version. Could you please drop =x11-misc/shutter-0.93.1-r1?
done
