610612 – (CVE-2016-10081) <x11-misc/shutter-0.9.43: Insecure usage of perl exec() (CVE-2016-10081)

Bug 610612 (CVE-2016-10081) - <x11-misc/shutter-0.9.43: Insecure usage of perl exec() (CVE-2016-10081)

Summary: <x11-misc/shutter-0.9.43: Insecure usage of perl exec() (CVE-2016-10081)

Status:	RESOLVED FIXED

Alias:	CVE-2016-10081

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.exploit-db.com/exploits/4...
Whiteboard:	B2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-02-22 22:06 UTC by Sebastian Pipping
Modified:	2020-05-03 23:18 UTC (History)
CC List:	6 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/10867 687960
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2017-02-22 22:06:22 UTC

Hi!

I ran into https://www.exploit-db.com/exploits/41435/?rss and had a look if we apply patches to close that vulnerability.  While our

  files/shutter-0.93.1-insecure_use_of_system.patch

seems to be related, there are more places calling system, e.g.

  system("xdg-email $mail $user_data");
or
  system("nautilus-sendto $user_data &");

that look scary (from just a quick look) and that are patched in other distros, e.g. see https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/fix-perl-system-calls#n234.

Please have a closer look.  Thank you!

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-12 19:52:34 UTC

References:

https://www.cvedetails.com/cve/CVE-2016-10081/
https://bugs.launchpad.net/shutter/+bug/1652600

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-07-13 02:58:05 UTC

@ Maintainer(s): Please add https://anonscm.debian.org/cgit/collab-maint/shutter.git/tree/debian/patches/fix-perl-system-calls

Comment 3 Pacho Ramos gentoo-dev

2018-07-23 09:50:50 UTC

this should be bumped to 0.94
https://launchpad.net/shutter/0.9x/0.94/+download/shutter-0.94.tar.gz

Comment 4 Jonas Stein gentoo-dev

2019-06-24 11:20:15 UTC

The package was bumped to 0.94.3
Is anything left todo?

Comment 5 Sam James archtester

2020-03-18 15:05:41 UTC

(In reply to Jonas Stein from comment #4)
> The package was bumped to 0.94.3
> Is anything left todo?

Based on https://salsa.debian.org/perl-team/modules/attic/shutter/-/blob/master/debian/patches/fix-perl-system-calls, I think the current patch in 0.93.1-r3 may be incomplete.

It's been applied now: https://bazaar.launchpad.net/~shutter/shutter/devel/revision/1298, which is in 0.94.2.

@maintainer(s), please cleanup!

Comment 6 Larry the Git Cow gentoo-dev

2020-03-18 18:05:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f4ee7f75329062c350a8508b80b02be691f604e

commit 4f4ee7f75329062c350a8508b80b02be691f604e
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2020-03-18 18:03:38 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2020-03-18 18:04:53 +0000

    x11-misc/shutter: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/610612
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.92, Repoman-2.3.20

 x11-misc/shutter/Manifest                          |  1 -
 x11-misc/shutter/files/shutter-0.90-webphoto.patch | 17 -----
 .../shutter-0.93.1-insecure_use_of_system.patch    | 19 -----
 x11-misc/shutter/shutter-0.93.1-r3.ebuild          | 85 ----------------------
 4 files changed, 122 deletions(-)

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2020-05-03 23:18:01 UTC

Package is unstable.