Shutter

Insecure use of system() allows arbitrary code execution via "Show in Folder"

Bug #1495163 reported by Luke Faraone on 2015-09-13

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Shutter	Fix Released	Undecided	Unassigned	Shutter 0.94
shutter (Debian)	Fix Released	Unknown	debbugs #798862
shutter (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter.

STEPS TO REPRODUCE:
     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
        sub xdg_open {
                my ( $self, $dialog, $link, $user_data ) = @_;
                system("xdg-open $link");

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.

[1]: http://perldoc.perl.org/functions/system.html

CVE-2015-0854 has been assigned for this issue by the Debian Security Team.

Tags:

CVE References

2015-0854

Revision history for this message

Luke Faraone (lfaraone) wrote on 2015-09-13:

CVE-2015-0854.patch Edit (2.2 KiB, text/plain)

Luke Faraone (lfaraone) on 2015-09-13

information type:

Private Security → Public Security

Luke Faraone (lfaraone) on 2015-09-13

Changed in shutter (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium

Bug Watch Updater (bug-watch-updater) on 2015-09-13

Changed in shutter (Debian):
status:	Unknown → Confirmed

Ubuntu Foundations Team Bug Bot (crichton) on 2015-09-13

tags:

added: patch

Revision history for this message

Robin Lee (cheeselee) wrote on 2015-09-15:

Luke's patch is not 'strict'. '@args' should have a 'my' declaration.

Revision history for this message

Robin Lee (cheeselee) wrote on 2015-09-15:

Shutter has several places using string style 'system'. Is only this 'system' vulnerable?

Bug Watch Updater (bug-watch-updater) on 2015-11-06

Changed in shutter (Debian):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-02:

This bug was fixed in the package shutter - 0.93.1-1ubuntu1

---------------
shutter (0.93.1-1ubuntu1) xenial; urgency=low

* Merge from Debian unstable (LP: #1564122). Remaining changes:
- debian/control: Recommend libgtk2-appindicator-perl.

shutter (0.93.1-1) unstable; urgency=medium

  * Non-maintainer upload.
  * New upstream release.
  * Fix insecure use of system() (Closes: #798862, LP: #1495163).
  * debian/rules: Install WebService/Dropbox.pm

-- Andrew Starr-Bochicchio <email address hidden> Sat, 02 Apr 2016 11:22:14 -0400

Changed in shutter (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2017-08-12:

Applied Debian's patch in rev.1282.

Changed in shutter:
status:	New → Fix Committed

Michael Kogan (michael-kogan) on 2017-08-14

Changed in shutter:
milestone:	none → 0.94

Michael Kogan (michael-kogan) on 2017-08-16

Changed in shutter:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

CVE-2015-0854.patch Edit

Add patch

Remote bug watches

debbugs #798862
[done grave patch security upstream] Edit

Bug watches keep track of this bug in other bug trackers.