Insecure use of system() allows arbitrary code execution via "Show in Folder"

Bug #1495163 reported by Luke Faraone
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
shutter (Debian)
Fix Released
shutter (Ubuntu)
Fix Released

Bug Description

Using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter.

     1. Put an image in a folder called "$(xeyes)"
     2. Open the image in Shutter
     3. Right-click the image and click "Show in Folder"

The `xeyes` program (if installed on your system) should start.

Lines 54-65 of share/shutter/resources/modules/Shutter/App/
        sub xdg_open {
                my ( $self, $dialog, $link, $user_data ) = @_;
                system("xdg-open $link");

Because `system` is used, the string is scanned for shell
metacharacters[1], and if found the string is executed using a shell.


CVE-2015-0854 has been assigned for this issue by the Debian Security Team.

Tags: patch

CVE References

Revision history for this message
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone)
information type: Private Security → Public Security
Luke Faraone (lfaraone)
Changed in shutter (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in shutter (Debian):
status: Unknown → Confirmed
tags: added: patch
Revision history for this message
Robin Lee (cheeselee) wrote :

Luke's patch is not 'strict'. '@args' should have a 'my' declaration.

Revision history for this message
Robin Lee (cheeselee) wrote :

Shutter has several places using string style 'system'. Is only this 'system' vulnerable?

Changed in shutter (Debian):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shutter - 0.93.1-1ubuntu1

shutter (0.93.1-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable (LP: #1564122). Remaining changes:
   - debian/control: Recommend libgtk2-appindicator-perl.

shutter (0.93.1-1) unstable; urgency=medium

  * Non-maintainer upload.
  * New upstream release.
  * Fix insecure use of system() (Closes: #798862, LP: #1495163).
  * debian/rules: Install WebService/

 -- Andrew Starr-Bochicchio <email address hidden> Sat, 02 Apr 2016 11:22:14 -0400

Changed in shutter (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Michael Kogan (michael-kogan) wrote :

Applied Debian's patch in rev.1282.

Changed in shutter:
status: New → Fix Committed
Changed in shutter:
milestone: none → 0.94
Changed in shutter:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.