[Secure-testing-team] Bug#798862: CVE-2015-0854: Insecure use of system()
Luke Faraone
lfaraone at debian.org
Sun Sep 13 16:25:21 UTC 2015
Package: shutter
Version: 0.85.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1495163
Using the "Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1. Put an image in a folder called "$(xeyes)"
2. Open the image in Shutter
3. Right-click the image and click "Show in Folder"
The `xeyes` program (if installed on your system) should start.
Lines 54-65 of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
sub xdg_open {
my ( $self, $dialog, $link, $user_data ) = @_;
system("xdg-open $link");
return TRUE;
}
Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.
[1]: http://perldoc.perl.org/functions/system.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2015-0854.patch
Type: text/x-diff
Size: 2260 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150913/5c33f460/attachment.patch>
More information about the Secure-testing-team
mailing list