Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

shutter: CVE-2016-10081: Insecure use of perl exec()

Related Vulnerabilities: CVE-2016-10081  

Source

Debian Bug report logs - #849777
shutter: CVE-2016-10081: Insecure use of perl exec()

version graph

Package: src:shutter; Maintainer for src:shutter is Ryan Niebur <ryan@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 30 Dec 2016 21:39:05 UTC

Severity: grave

Tags: pending, security, upstream

Found in version shutter/0.88.3-1

Fixed in version shutter/0.93.1-1.3

Done: Dominique Dumont <dod@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/shutter/+bug/1652600

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Fri, 30 Dec 2016 21:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>. (Fri, 30 Dec 2016 21:39:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Fri, 30 Dec 2016 22:36:38 +0100
Source: shutter
Version: 0.88.3-1
Severity: grave
Tags: upstream security
Justification: user security hole
Forwarded: https://bugs.launchpad.net/shutter/+bug/1652600

Hi,

the following vulnerability was published for shutter.

CVE-2016-10081[0]:
| /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
| attackers to execute arbitrary commands via a crafted image name that
| is mishandled during a "Run a plugin" action.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10081
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10081
[1] https://bugs.launchpad.net/shutter/+bug/1652600

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Sat, 31 Dec 2016 11:42:07 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>. (Sat, 31 Dec 2016 11:42:07 GMT) (full text, mbox, link).

Message #10 received at 849777@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 849777@bugs.debian.org
Subject: Re: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Sat, 31 Dec 2016 12:38:58 +0100
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso wrote...

> CVE-2016-10081[0]:
> | /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
> | attackers to execute arbitrary commands via a crafted image name that
> | is mishandled during a "Run a plugin" action.

*sigh* Single-argument usage of system/exec through the shell (...)</rant>

The patch attached uses the multi-argument invocation and also changes
it in the code path for non-Perl plugins. I wasn't able to exploit the
latter since it requires a file name without an extension (more
precisely: without a dot) that shutter still is willing to open. So a
file named (*in*cluding the quotes)

    ' ; xeyes ; '

on the offset plugin should do the trick but shutter didn't get that
far. But that's no excuse for keeping it this way.

Still requires more testing.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Sat, 31 Dec 2016 11:42:08 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>. (Sat, 31 Dec 2016 11:42:08 GMT) (full text, mbox, link).

Message #15 received at 849777@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
To: Salvatore Bonaccorso <carnil@debian.org>, 849777@bugs.debian.org
Subject: Re: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Sat, 31 Dec 2016 12:39:57 +0100
[Message part 1 (text/plain, inline)]
Christoph Biedl wrote...

> The patch attached

[CVE-2016-10081.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Fri, 06 Jan 2017 18:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to dod@debian.org:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>. (Fri, 06 Jan 2017 18:36:06 GMT) (full text, mbox, link).

Message #20 received at 849777@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>
To: 849777@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Subject: Re: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Fri, 06 Jan 2017 19:33:07 +0100
On Sat, 31 Dec 2016 12:39:57 +0100 Christoph Biedl <debian.axhn@manchmal.in-
ulm.de> wrote:
> Christoph Biedl wrote...
> 
> > The patch attached

Thanks.

I've tested the patch and it's fine.

I've also created a patch to replace all system("big string") calls to 
system(@big_list) in all plugins to avoid similar problems.

I'll upload this soon :-) as a nmu :-(

All the best
-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Fri, 06 Jan 2017 21:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>. (Fri, 06 Jan 2017 21:03:03 GMT) (full text, mbox, link).

Message #25 received at 849777@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Dominique Dumont <dod@debian.org>
Cc: 849777@bugs.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Subject: Re: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Fri, 6 Jan 2017 21:57:57 +0100
Hi Dominique,

On Fri, Jan 06, 2017 at 07:33:07PM +0100, Dominique Dumont wrote:
> On Sat, 31 Dec 2016 12:39:57 +0100 Christoph Biedl <debian.axhn@manchmal.in-
> ulm.de> wrote:
> > Christoph Biedl wrote...
> > 
> > > The patch attached
> 
> Thanks.
> 
> I've tested the patch and it's fine.
> 
> I've also created a patch to replace all system("big string") calls to 
> system(@big_list) in all plugins to avoid similar problems.
> 
> I'll upload this soon :-) as a nmu :-(

Thanks.

Btw, it would be good/great to forward any applied patch to upstream.

Regards,
Salvatore

Reply sent to Dominique Dumont <dod@debian.org>:
You have taken responsibility. (Fri, 06 Jan 2017 21:09:17 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 06 Jan 2017 21:09:17 GMT) (full text, mbox, link).

Message #30 received at 849777-close@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>
To: 849777-close@bugs.debian.org
Subject: Bug#849777: fixed in shutter 0.93.1-1.3
Date: Fri, 06 Jan 2017 21:04:56 +0000
Source: shutter
Source-Version: 0.93.1-1.3

We believe that the bug you reported is fixed in the latest version of
shutter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849777@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominique Dumont <dod@debian.org> (supplier of updated shutter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Jan 2017 21:07:32 +0100
Source: shutter
Binary: shutter
Architecture: source all
Version: 0.93.1-1.3
Distribution: unstable
Urgency: medium
Maintainer: Ryan Niebur <ryan@debian.org>
Changed-By: Dominique Dumont <dod@debian.org>
Description:
 shutter    - feature-rich screenshot program
Closes: 849777
Changes:
 shutter (0.93.1-1.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * add patch to fix CVE-2016-10081 (Closes: #849777)
   * add patch to secure system() calls
Checksums-Sha1:
 3eb73977d063975911797c3625b9daa36981232d 1845 shutter_0.93.1-1.3.dsc
 a7adcfe000650b6c22e118308ae7fadb7a6c2ae4 8072 shutter_0.93.1-1.3.debian.tar.xz
 995e10b02095f9b5c243360fe033f06a9cd3d00b 1611916 shutter_0.93.1-1.3_all.deb
 b6fec3089c406b671f51dd4f8fdfc1fcbb3f7a41 4538 shutter_0.93.1-1.3_amd64.buildinfo
Checksums-Sha256:
 7d5e2833dc2b5ee09a8bab7620368ca1ae66a3c875e61921d46a11219021cf9d 1845 shutter_0.93.1-1.3.dsc
 227a42fd52f676ff1d0b57a702de49c474baf9e931085d75f13399ebc862840d 8072 shutter_0.93.1-1.3.debian.tar.xz
 042b1fc515e723b1d1f56281ba001711783c38daa7e9ee311023a93f30d423e9 1611916 shutter_0.93.1-1.3_all.deb
 caae69f92d98d4a93e16dcad3a5ce6840e417ca5923579ed3529beecb1b9c866 4538 shutter_0.93.1-1.3_amd64.buildinfo
Files:
 80d1cfc290072f6ed9d54c7bfd59b9e0 1845 graphics optional shutter_0.93.1-1.3.dsc
 146ba3dadc179beb3f8e1276c185a48a 8072 graphics optional shutter_0.93.1-1.3.debian.tar.xz
 b1bb2362b2517ea75b797b1eb091cbd6 1611916 graphics optional shutter_0.93.1-1.3_all.deb
 0b20ef9c9edab27a13d5549379f6e824 4538 graphics optional shutter_0.93.1-1.3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAlhv+bYACgkQwx9P2Umr
K2zFhw//WRT1BB7WeVosfn7i/Tyli7CAwtQzTIT7jmccB2esug+gxlmGgltx4UtW
2+UmTMnxpZaHo4TgbS0jfZgT30KxjrcC7bj7LBt4VgIXyhywANo0TlAenYUKfIyr
DWlN5pZih6G1amwBWmpSS/ajzghIlNY49nTrPSNlmS6q+PlTpRmsF3t6zKucTwkv
aBDE3V1JMAeSe0pmqdpaR5XbG+S/7t9MSZxFrQt6277biu1ZVF7vw03fk7mrlgrJ
mkpd1pqjNrSFYHvvRB7zIP5Jl6berV81e0b3L9+ZcoB3OINyk4Qt61e8jb/VgkcC
2Q/5PMxNIxFhO68klljIN5enpms4Sd9FTsOy6uAs6MPKiE9P6iBCK8+mZ0d5UtVN
60erPCkQ/erWk08tFJ3HWeuHvh+Kou3wz91bUWJ88wSNMH4BDQjHXXYsQmNnbyFh
PaCYzlDu06T/vq0yChSVkji6Yw+UcRFKdESTdE6vchDfSo42COtMaspkLJPXjuht
Xz+d4S1ZMW8Wvjp1U9AEiQjpFslfGHxvNuPohNPu+rX2te7bidJbl0lKaIbMpmO3
LvelxtuGqiGik9i3jHKu6H5M/beQrj8ifsKj9I1PLpNiM5U+s7s4GtQ1lH3SQfGL
7cTT7BNO9GhGJI0PVdyGJ9IJfWDElVXoguGIH7v0D+xY8VhQ0+M=
=VNFa
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Sat, 07 Jan 2017 08:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to dod@debian.org:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>. (Sat, 07 Jan 2017 08:24:05 GMT) (full text, mbox, link).

Message #35 received at 849777@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 849777@bugs.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Subject: Re: shutter: CVE-2016-10081: Insecure use of perl exec()
Date: Sat, 07 Jan 2017 09:22:06 +0100
On Friday, 6 January 2017 21:57:57 CET Salvatore Bonaccorso wrote:
> Btw, it would be good/great to forward any applied patch to upstream.

Done: https://bugs.launchpad.net/shutter/+bug/1652600/comments/6

(this is a bit confusing because launchpad is usually downstream...)

All the best
-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#849777; Package src:shutter. (Thu, 02 Mar 2017 01:33:03 GMT) (full text, mbox, link).

Message #38 received at 849777@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 849777@bugs.debian.org, 849777-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the shutter package
Date: Thu, 02 Mar 2017 01:28:47 +0000
tag 849777 + pending
thanks

Some bugs in the shutter package are closed in revision
fb12f0fa979002ad8a3616d082332c7b25d20218 in branch 'master' by
Dominique Dumont

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/shutter.git/commit/?id=fb12f0f

Commit message:

    add patch to fix CVE-2016-10081 (Closes: #849777)

Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 02 Mar 2017 01:33:06 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#849777. (Thu, 02 Mar 2017 01:33:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#849777; Package src:shutter. (Sat, 20 May 2017 20:42:06 GMT) (full text, mbox, link).

Message #46 received at 849777@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 849777@bugs.debian.org, 849777-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the shutter package
Date: Sat, 20 May 2017 20:40:15 +0000
tag 849777 + pending
thanks

Some bugs in the shutter package are closed in revision
87f106dd4f0049cf7c1b4f77929d059b229a90a9 in branch '  jessie' by
Dominique Dumont

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/shutter.git/commit/?id=87f106d

Commit message:

    add patch to fix CVE-2016-10081 (Closes: #849777)

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#849777. (Sat, 20 May 2017 20:42:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 18 Jun 2017 07:37:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:58:32 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started