Bug#798862: marked as done (CVE-2015-0854: Insecure use of system())

[Debian Bug Tracking System]

Your message dated Fri, 06 Nov 2015 03:54:18 +0000
with message-id <e1zuy6u-0007io...@franck.debian.org>
and subject line Bug#798862: fixed in shutter 0.93.1-1
has caused the Debian Bug report #798862,
regarding CVE-2015-0854: Insecure use of system()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: shutter
Version: 0.85.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1495163

Using the "Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the permissions
of the user running Shutter.

STEPS TO REPRODUCE:
     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
        sub xdg_open {
                my ( $self, $dialog, $link, $user_data ) = @_;
                system("xdg-open $link");
                return TRUE;
        }

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.

[1]: http://perldoc.perl.org/functions/system.html

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: lfara...@debian.org-20150913015632-omhhhksdbz1j2jno
# target_branch: bzr+ssh://bazaar.launchpad.net/+branch/shutter/
# testament_sha1: 657f895d801b5ee567032599e2f961f4537a25db
# timestamp: 2015-09-13 01:59:36 +0000
# base_revision_id: mario.kem...@googlemail.com-20141223230202-\
#   b58zlfo5qb5e2cxt
# 
# Begin patch
=== modified file 'share/shutter/resources/modules/Shutter/App/HelperFunctions.pm'
--- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm	2013-08-25 18:40:51 +0000
+++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm	2015-09-13 01:56:32 +0000
@@ -53,7 +53,8 @@
 
 sub xdg_open {
 	my ( $self, $dialog, $link, $user_data ) = @_;
-	system("xdg-open $link");
+	@args = ("xdg-open", "$link");
+	system(@args);
 	if($?){
 		my $response = $self->{_dialogs}->dlg_error_message( 
 			sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZZuoZoAAW9fgAAwVGf//1tE
AwC///9wUAN1zXYu9esG49hKKaaU/Qyp+inpPSPSNGnk0htRkGTQBkiZNTyNDERMIAaDTQ0GgBJI
CIyamntFNpANAAAA0BtSmCk8psmU9NGo0Mag0BoB6g0Ekk0hPUzRtU09PVPaQ1DT1MmQNDQBBblC
nItOGKCVEFKr4EB+TV5NqXlTTXPaxEQcN441NfLGUe1jMvoUPf93Zo8lTOpwrtjxqi6rujPaNUTV
CagXS99rU4yR4fKPswKdWLkQ5VnuJbY6NKVyUAsM7nT6pQRQzXzlE23uIdEQUEMMZJKbdB5pRKIy
WL1scnBLBNC4at+6OQjGy1T/mLa0YWkVTkCusoYWDle1hRXrGz2YOUzUVdaddmut7OCLS7MSRXeg
caOMglpIqkaoqSvYLzbAsT+V20WStwoXb7rBRTYj4ycKqQLBHRkHWCVzJ0ibdSjXciltChrcqiQF
YgsAZ7MNOYQGgVgpP8OwBDLnM61xWspggxkwGN1KjeLWHDOYBhoHuD7V0EzQRjE9+BzPN6pDFd4W
5mbO1dxUQMJZ1WQhVIGoXzjJtObPAzQaMYhdAk5NBoj5hObdpkZjteVvW9dHtjvycid4PkVRV2w+
2SStovOFXNFQht4TkHBfKUS0mWA3bXY7THAPIN9FWaZKdBn2cr0qUcSkLlR3l5pvSyxEs7LxNIXS
mvErI+rurPau4IOalJSpU81T54yIjOIoquDxU/BXqXpxb5/M6chvLB2a+xbMBmGrnRJp51kfOGzQ
ia23MH3Yy0rg15C2iZbPmQ5RKSoIhYUn8mUK8M6GYsayXUYgwJ0sqga7syWoa3c+w4lJ9679VCcY
iAGhmyI1BsB5lIhh41Vi0gp8qriUeKTQ3/yaeBAIqYzlwY6+Mel9IVBzLrDP5vovFKZXClW3DgEQ
kKjWFoUBM4OT1vC4uG0Ru71+XFsMip2uGNAODnDSsTsxOKTPeYAnGezwmNc05BJ4k2DYocSE5hjD
UtjJyTOMs0Ur+cMwmmFgFHLIK5cDrA4UrVR6tdSSvozJ5EYME6tTuwnxJy71DECoNbwLYORVloIE
0ojtLgetx9uCjjOYYObUq9UOcX9cZNobWDtirXS1ZsJhU0+MrslK3DBAEEBWNjaOeMS1wDwGIbJa
ma5f3PtQMadvqUGhLdV0lL1WmatWtdlWxD5LyMmc/xdyRThQkJZuoZo=

--- End Message ---

--- Begin Message ---

Source: shutter
Source-Version: 0.93.1-1

We believe that the bug you reported is fixed in the latest version of
shutter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 798...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Starr-Bochicchio <a...@debian.org> (supplier of updated shutter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Nov 2015 21:48:26 -0500
Source: shutter
Binary: shutter
Architecture: source all
Version: 0.93.1-1
Distribution: unstable
Urgency: medium
Maintainer: Ryan Niebur <r...@debian.org>
Changed-By: Andrew Starr-Bochicchio <a...@debian.org>
Description:
 shutter    - feature-rich screenshot program
Closes: 798862
Changes:
 shutter (0.93.1-1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
   * Fix insecure use of system() (Closes: #798862, LP: #1495163).
   * debian/rules: Install WebService/Dropbox.pm
Checksums-Sha1:
 c20e1fe261360dd6af9ceaac9371a91e0d918c15 1823 shutter_0.93.1-1.dsc
 93c2632ea8fcc677c7273cf601a62cd12de4e29b 3432204 shutter_0.93.1.orig.tar.gz
 83e1b3826bad5388cc74bc5e39214d060c23195b 4748 shutter_0.93.1-1.debian.tar.xz
 23861aff5edadb37c710ada6fa35cde23749518a 1615036 shutter_0.93.1-1_all.deb
Checksums-Sha256:
 49755ee688f0132e3dbcbe7382517f97a722846551d2e2d5f5719e6a585a9e70 1823 
shutter_0.93.1-1.dsc
 536d1f7bc69fff518bf5a6a040d6a2d65beb2eecd5429967c71c25cf991e9625 3432204 
shutter_0.93.1.orig.tar.gz
 4498d4d45419acfe7914c703e80144927ddf2e6bada84ee3bce74cbc936d6c49 4748 
shutter_0.93.1-1.debian.tar.xz
 efb1a222ef7c0fe9b23465166c54e7a53a79c7b52d2c65de85ef5a390098ec08 1615036 
shutter_0.93.1-1_all.deb
Files:
 8def594610a6408d1a27dd8d046f438b 1823 graphics optional shutter_0.93.1-1.dsc
 614602040851e4cba0778704304330a0 3432204 graphics optional 
shutter_0.93.1.orig.tar.gz
 4e1f602fd18c8d7fcee1453acc46a959 4748 graphics optional 
shutter_0.93.1-1.debian.tar.xz
 c47351ef182ff62722faeebfea6d9f3b 1615036 graphics optional 
shutter_0.93.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWPBbdAAoJEDtW4rvVP9yx3VAP/iEz4tlcLRMABR9BaJbXvNCg
+8nzCzdubCcqifiBh6mPqIa9FLgiriDCcoI5SOdI6jKS/b9RHzvb7H9yTdfFr9UB
MOpVZV5Ldi6IJQ3gJ+KqbvF0BwQuLhhcjR8MiudBLXTB79KP/Dd+iAYVPQuEce81
anviCvao8LjsITO2rdK4TBKPtTJqks5O5JSBZp1Y66LIdVkXsUkB4Vt190eOHsKY
uNaXOEgUJDFZq/krOYQu3ZOOilTu5vQ1pDXyRjAVrsBDsQgm/tYfzL+qqRSoh6xF
kBsc8NuTvPYLbv9371vu027/OMGSItS3PczZ/ZseUkQsFW99zNR5gZQvaSB1D0F0
xPpZZ0tMhCgnQV0eiDJwlTE75JzcfQjai9IXZ7tF417bctSDAMOpU0f8pJMnKlJ3
bdpOLmbka9FNsDniEjR7jvwwb30+8lnixlWoGvksNbQpgzv3tlvi4yt+AIx1FZbo
Ev0FMYcr2PSoN+dID5OFB1uQJCZntbTNu9jhTQ8tmYWPyc+IaZDu2kpjSLPwGcQO
wLUjxpy0klKvNk1t6W95yuVgv/YwQW8QvA7emrMRMqSt8whVV5PTTlWRWP6oOYn3
QC7seB7KJbyLaG9GdBAqSQg576ZAnYSy4UyLXp5e7Z/xTD5mNha6K6epiTJxSanI
yyw5dhId8nuYpPbqXD+T
=/tUw
-----END PGP SIGNATURE-----

--- End Message ---