Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Sep 2015 16:31:29 +0000
From: Luke Faraone <lfaraone@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-0854: Insecure use of system() in shutter

Hello,

In the "Shutter" screenshot application, I discovered that using the
"Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the
permissions of the user running Shutter.

STEPS TO REPRODUCE:
     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines  54+ of
share/shutter/resources/modules/Shutter/App/HelperFunctions.pm:
        sub xdg_open {
        	my ( $self, $dialog, $link, $user_data ) = @_;
        	system("xdg-open $link");
	}

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.

[1]: http://perldoc.perl.org/functions/system.html

CVE-2015-0854 has been assigned for this issue.

This bug has existed since (at least) 0.85.1, and although a patch is
available a fixed version has not been released.

Upstream bug: https://bugs.launchpad.net/shutter/+bug/1495163
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862

Regards,
Luke Faraone


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ