CVE-2015-0854: Insecure use of system() in shutter

[Luke Faraone <lfaraone () debian org>]

Hello,

In the "Shutter" screenshot application, I discovered that using the
"Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the
permissions of the user running Shutter.

STEPS TO REPRODUCE:
     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines  54+ of
share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
        sub xdg_open {
                my ( $self, $dialog, $link, $user_data ) = @_;
                system("xdg-open $link");
        }

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.

[1]: http://perldoc.perl.org/functions/system.html

CVE-2015-0854 has been assigned for this issue.

This bug has existed since (at least) 0.85.1, and although a patch is
available a fixed version has not been released.

Upstream bug: https://bugs.launchpad.net/shutter/+bug/1495163
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862

Regards,
Luke Faraone

Attachment: signature.asc
Description: This is a digitally signed message part