Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560426 (CVE-2015-0854) - <x11-misc/shutter-0.93.1-r2: Insecure use of system()
Summary: <x11-misc/shutter-0.93.1-r2: Insecure use of system()
Status: RESOLVED FIXED
Alias: CVE-2015-0854
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-14 09:24 UTC by Agostino Sarubbo
Modified: 2016-12-11 00:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch that fixes this issue (insecure_use_of_system.patch,887 bytes, patch)
2016-08-25 21:45 UTC, Alexey Zapparov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-14 09:24:43 UTC
From ${URL} :

In the "Shutter" screenshot application, I discovered that using the
"Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the
permissions of the user running Shutter.

STEPS TO REPRODUCE:
     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines  54+ of
share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
        sub xdg_open {
        	my ( $self, $dialog, $link, $user_data ) = @_;
        	system("xdg-open $link");
	}

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.

[1]: http://perldoc.perl.org/functions/system.html

CVE-2015-0854 has been assigned for this issue.

This bug has existed since (at least) 0.85.1, and although a patch is
available a fixed version has not been released.

Upstream bug: https://bugs.launchpad.net/shutter/+bug/1495163
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2016-08-21 11:59:37 UTC
CCing treecleaners
Comment 2 Alexey Zapparov 2016-08-22 00:19:08 UTC
This bug was fixed a while ago (available since 0.93.1 which we have in portage tree already): https://bugs.launchpad.net/shutter/+bug/1495163/comments/4

I believe we should change mask to be instead of removing package completely:
<=x11-misc/shutter-0.93.1
Comment 3 Pacho Ramos gentoo-dev 2016-08-22 10:03:59 UTC
OK, only that version left in the tree and unmasked (this package is back to testing then... in that case, I am not sure if maintainer will want to stabilize it in the normal way or... from security team point of view this should be solved then)
Comment 4 Alexey Zapparov 2016-08-25 21:35:12 UTC
(In reply to Pacho Ramos from comment #3)
> OK, only that version left in the tree and unmasked (this package is back to
> testing then... in that case, I am not sure if maintainer will want to
> stabilize it in the normal way or... from security team point of view this
> should be solved then)

Feeling myself a bit stupid and fooled. Tried described in this issue steps and they lead to running `xeyes` proving that 0.93.1 is actually affected by this vulnerability. Then re-read post I have linked before. It's not upstream fix - they simply released 0.93.1-1 with the patch, as seems like package is not maintained anymore. Really sorry, but seems like we either need to apply that patch as well or mask it indeed.
Comment 5 Alexey Zapparov 2016-08-25 21:45:03 UTC
Created attachment 444144 [details, diff]
Patch that fixes this issue
Comment 6 Thomas Deutschmann gentoo-dev 2016-11-18 19:33:52 UTC
Updating summary to reflect that we don't have a fixed package in tree according to comment #4.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2016-12-10 20:14:47 UTC
Lets do it

commit baed4e086c9d53601f7de98d165df1841c1f92dd
Author: Markos Chandras <hwoarang@gentoo.org>
Date:   Sat Dec 10 20:13:46 2016 +0000

    x11-misc/shutter: Revision bump
    
    Revision bump to include Debian patch to fix #560426
    
    Thanks to Alexey Zapparov <ixti@member.fsf.org>
    
    Gentoo-Bug: 560426
    
    Package-Manager: portage-2.3.3
Comment 8 Thomas Deutschmann gentoo-dev 2016-12-10 20:23:53 UTC
@ Maintainer(s): Thank you Alexey for the patch and Markos for the bump.

Only thing left is the removal of previous, vulnerable version. Could you please drop =x11-misc/shutter-0.93.1-r1?
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2016-12-10 20:47:36 UTC
done