Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Sep 2015 16:31:29 +0000
From: Luke Faraone <>
Subject: CVE-2015-0854: Insecure use of system() in shutter


In the "Shutter" screenshot application, I discovered that using the
"Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the
permissions of the user running Shutter.

     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines  54+ of
        sub xdg_open {
        	my ( $self, $dialog, $link, $user_data ) = @_;
        	system("xdg-open $link");

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.


CVE-2015-0854 has been assigned for this issue.

This bug has existed since (at least) 0.85.1, and although a patch is
available a fixed version has not been released.

Upstream bug:
Debian bug:

Luke Faraone

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ