oss-sec mailing list archives
CVE-2015-0854: Insecure use of system() in shutter
From: Luke Faraone <lfaraone () debian org>
Date: Sun, 13 Sep 2015 16:31:29 +0000
Hello, In the "Shutter" screenshot application, I discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE: 1. Put an image in a folder called "$(xeyes)" 2. Open the image in Shutter 3. Right-click the image and click "Show in Folder" The `xeyes` program (if installed on your system) should start. Lines 54+ of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm: sub xdg_open { my ( $self, $dialog, $link, $user_data ) = @_; system("xdg-open $link"); } Because `system` is used, the string is scanned for shell metacharacters[1], and if found the string is executed using a shell. [1]: http://perldoc.perl.org/functions/system.html CVE-2015-0854 has been assigned for this issue. This bug has existed since (at least) 0.85.1, and although a patch is available a fixed version has not been released. Upstream bug: https://bugs.launchpad.net/shutter/+bug/1495163 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862 Regards, Luke Faraone
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE-2015-0854: Insecure use of system() in shutter Luke Faraone (Sep 13)
- Re: CVE-2015-0854: Insecure use of system() in shutter Mark Felder (Sep 17)