Debian Bug report logs -
#849777
shutter: CVE-2016-10081: Insecure use of perl exec()
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Fri, 30 Dec 2016 21:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>
.
(Fri, 30 Dec 2016 21:39:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: shutter
Version: 0.88.3-1
Severity: grave
Tags: upstream security
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1652600
Hi,
the following vulnerability was published for shutter.
CVE-2016-10081[0]:
| /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
| attackers to execute arbitrary commands via a crafted image name that
| is mishandled during a "Run a plugin" action.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10081
[1] https://bugs.launchpad.net/shutter/+bug/1652600
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Sat, 31 Dec 2016 11:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Sat, 31 Dec 2016 11:42:07 GMT) (full text, mbox, link).
Message #10 received at 849777@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso wrote...
> CVE-2016-10081[0]:
> | /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
> | attackers to execute arbitrary commands via a crafted image name that
> | is mishandled during a "Run a plugin" action.
*sigh* Single-argument usage of system/exec through the shell (...)</rant>
The patch attached uses the multi-argument invocation and also changes
it in the code path for non-Perl plugins. I wasn't able to exploit the
latter since it requires a file name without an extension (more
precisely: without a dot) that shutter still is willing to open. So a
file named (*in*cluding the quotes)
' ; xeyes ; '
on the offset plugin should do the trick but shutter didn't get that
far. But that's no excuse for keeping it this way.
Still requires more testing.
Christoph
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Sat, 31 Dec 2016 11:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Sat, 31 Dec 2016 11:42:08 GMT) (full text, mbox, link).
Message #15 received at 849777@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Christoph Biedl wrote...
> The patch attached
[CVE-2016-10081.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Fri, 06 Jan 2017 18:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to dod@debian.org
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Fri, 06 Jan 2017 18:36:06 GMT) (full text, mbox, link).
Message #20 received at 849777@bugs.debian.org (full text, mbox, reply):
On Sat, 31 Dec 2016 12:39:57 +0100 Christoph Biedl <debian.axhn@manchmal.in-
ulm.de> wrote:
> Christoph Biedl wrote...
>
> > The patch attached
Thanks.
I've tested the patch and it's fine.
I've also created a patch to replace all system("big string") calls to
system(@big_list) in all plugins to avoid similar problems.
I'll upload this soon :-) as a nmu :-(
All the best
--
https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Fri, 06 Jan 2017 21:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Fri, 06 Jan 2017 21:03:03 GMT) (full text, mbox, link).
Message #25 received at 849777@bugs.debian.org (full text, mbox, reply):
Hi Dominique,
On Fri, Jan 06, 2017 at 07:33:07PM +0100, Dominique Dumont wrote:
> On Sat, 31 Dec 2016 12:39:57 +0100 Christoph Biedl <debian.axhn@manchmal.in-
> ulm.de> wrote:
> > Christoph Biedl wrote...
> >
> > > The patch attached
>
> Thanks.
>
> I've tested the patch and it's fine.
>
> I've also created a patch to replace all system("big string") calls to
> system(@big_list) in all plugins to avoid similar problems.
>
> I'll upload this soon :-) as a nmu :-(
Thanks.
Btw, it would be good/great to forward any applied patch to upstream.
Regards,
Salvatore
Reply sent
to Dominique Dumont <dod@debian.org>
:
You have taken responsibility.
(Fri, 06 Jan 2017 21:09:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 06 Jan 2017 21:09:17 GMT) (full text, mbox, link).
Message #30 received at 849777-close@bugs.debian.org (full text, mbox, reply):
Source: shutter
Source-Version: 0.93.1-1.3
We believe that the bug you reported is fixed in the latest version of
shutter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849777@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominique Dumont <dod@debian.org> (supplier of updated shutter package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 06 Jan 2017 21:07:32 +0100
Source: shutter
Binary: shutter
Architecture: source all
Version: 0.93.1-1.3
Distribution: unstable
Urgency: medium
Maintainer: Ryan Niebur <ryan@debian.org>
Changed-By: Dominique Dumont <dod@debian.org>
Description:
shutter - feature-rich screenshot program
Closes: 849777
Changes:
shutter (0.93.1-1.3) unstable; urgency=medium
.
* Non-maintainer upload.
* add patch to fix CVE-2016-10081 (Closes: #849777)
* add patch to secure system() calls
Checksums-Sha1:
3eb73977d063975911797c3625b9daa36981232d 1845 shutter_0.93.1-1.3.dsc
a7adcfe000650b6c22e118308ae7fadb7a6c2ae4 8072 shutter_0.93.1-1.3.debian.tar.xz
995e10b02095f9b5c243360fe033f06a9cd3d00b 1611916 shutter_0.93.1-1.3_all.deb
b6fec3089c406b671f51dd4f8fdfc1fcbb3f7a41 4538 shutter_0.93.1-1.3_amd64.buildinfo
Checksums-Sha256:
7d5e2833dc2b5ee09a8bab7620368ca1ae66a3c875e61921d46a11219021cf9d 1845 shutter_0.93.1-1.3.dsc
227a42fd52f676ff1d0b57a702de49c474baf9e931085d75f13399ebc862840d 8072 shutter_0.93.1-1.3.debian.tar.xz
042b1fc515e723b1d1f56281ba001711783c38daa7e9ee311023a93f30d423e9 1611916 shutter_0.93.1-1.3_all.deb
caae69f92d98d4a93e16dcad3a5ce6840e417ca5923579ed3529beecb1b9c866 4538 shutter_0.93.1-1.3_amd64.buildinfo
Files:
80d1cfc290072f6ed9d54c7bfd59b9e0 1845 graphics optional shutter_0.93.1-1.3.dsc
146ba3dadc179beb3f8e1276c185a48a 8072 graphics optional shutter_0.93.1-1.3.debian.tar.xz
b1bb2362b2517ea75b797b1eb091cbd6 1611916 graphics optional shutter_0.93.1-1.3_all.deb
0b20ef9c9edab27a13d5549379f6e824 4538 graphics optional shutter_0.93.1-1.3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAlhv+bYACgkQwx9P2Umr
K2zFhw//WRT1BB7WeVosfn7i/Tyli7CAwtQzTIT7jmccB2esug+gxlmGgltx4UtW
2+UmTMnxpZaHo4TgbS0jfZgT30KxjrcC7bj7LBt4VgIXyhywANo0TlAenYUKfIyr
DWlN5pZih6G1amwBWmpSS/ajzghIlNY49nTrPSNlmS6q+PlTpRmsF3t6zKucTwkv
aBDE3V1JMAeSe0pmqdpaR5XbG+S/7t9MSZxFrQt6277biu1ZVF7vw03fk7mrlgrJ
mkpd1pqjNrSFYHvvRB7zIP5Jl6berV81e0b3L9+ZcoB3OINyk4Qt61e8jb/VgkcC
2Q/5PMxNIxFhO68klljIN5enpms4Sd9FTsOy6uAs6MPKiE9P6iBCK8+mZ0d5UtVN
60erPCkQ/erWk08tFJ3HWeuHvh+Kou3wz91bUWJ88wSNMH4BDQjHXXYsQmNnbyFh
PaCYzlDu06T/vq0yChSVkji6Yw+UcRFKdESTdE6vchDfSo42COtMaspkLJPXjuht
Xz+d4S1ZMW8Wvjp1U9AEiQjpFslfGHxvNuPohNPu+rX2te7bidJbl0lKaIbMpmO3
LvelxtuGqiGik9i3jHKu6H5M/beQrj8ifsKj9I1PLpNiM5U+s7s4GtQ1lH3SQfGL
7cTT7BNO9GhGJI0PVdyGJ9IJfWDElVXoguGIH7v0D+xY8VhQ0+M=
=VNFa
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Sat, 07 Jan 2017 08:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to dod@debian.org
:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>
.
(Sat, 07 Jan 2017 08:24:05 GMT) (full text, mbox, link).
Message #35 received at 849777@bugs.debian.org (full text, mbox, reply):
On Friday, 6 January 2017 21:57:57 CET Salvatore Bonaccorso wrote:
> Btw, it would be good/great to forward any applied patch to upstream.
Done: https://bugs.launchpad.net/shutter/+bug/1652600/comments/6
(this is a bit confusing because launchpad is usually downstream...)
All the best
--
https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>
:
Bug#849777
; Package src:shutter
.
(Thu, 02 Mar 2017 01:33:03 GMT) (full text, mbox, link).
Message #38 received at 849777@bugs.debian.org (full text, mbox, reply):
tag 849777 + pending
thanks
Some bugs in the shutter package are closed in revision
fb12f0fa979002ad8a3616d082332c7b25d20218 in branch 'master' by
Dominique Dumont
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/shutter.git/commit/?id=fb12f0f
Commit message:
add patch to fix CVE-2016-10081 (Closes: #849777)
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 02 Mar 2017 01:33:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#849777.
(Thu, 02 Mar 2017 01:33:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#849777
; Package src:shutter
.
(Sat, 20 May 2017 20:42:06 GMT) (full text, mbox, link).
Message #46 received at 849777@bugs.debian.org (full text, mbox, reply):
tag 849777 + pending
thanks
Some bugs in the shutter package are closed in revision
87f106dd4f0049cf7c1b4f77929d059b229a90a9 in branch ' jessie' by
Dominique Dumont
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/shutter.git/commit/?id=87f106d
Commit message:
add patch to fix CVE-2016-10081 (Closes: #849777)
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#849777.
(Sat, 20 May 2017 20:42:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 18 Jun 2017 07:37:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:58:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.