Bugzilla – Bug 945638
VUL-0: CVE-2015-0854: shutter: Insecure use of system() in shutter
Last modified: 2021-09-08 09:02:08 UTC
CVE-2015-0854 In the "Shutter" screenshot application, I discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter. STEPS TO REPRODUCE: 1. Put an image in a folder called "$(xeyes)" 2. Open the image in Shutter 3. Right-click the image and click "Show in Folder" The `xeyes` program (if installed on your system) should start. Lines 54+ of share/shutter/resources/modules/Shutter/App/HelperFunctions.pm: sub xdg_open { my ( $self, $dialog, $link, $user_data ) = @_; system("xdg-open $link"); } Because `system` is used, the string is scanned for shell metacharacters, and if found the string is executed using a shell. References: https://bugs.launchpad.net/shutter/+bug/1495163 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0854 http://seclists.org/oss-sec/2015/q3/541
bugbot adjusting priority
Still unfixed in current Leap, please submit
https://build.opensuse.org/request/show/449244 Tumbleweed: https://build.opensuse.org/request/show/449568 Leap: https://build.opensuse.org/request/show/516217
Submissions have long been accepted.