Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Ryan Niebur <ryan@debian.org>
Subject: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Tue, 20 Dec 2016 19:12:33 +0100
Message-id: <[🔎] 1482257179@msgid.manchmal.in-ulm.de>
Reply-to: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 848908@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team,

CVE-2015-0854[1] hasn't been handled in jessie yet. The security team
ACKed to use an upcoming point release for this. The shutter maintainer
Ryan Niebur is in Cc:.

Find attached a debdiff based on the fixed stretch version 0.93.1-1,
the original patch triggered a Perl error.

Testing confirmed the described exploit no longer works then.

Regards,

    Christoph

[1] https://security-tracker.debian.org/tracker/CVE-2015-0854

diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog
--- shutter-0.92/debian/changelog	2014-08-10 17:51:22.000000000 +0200
+++ shutter-0.92/debian/changelog	2016-12-20 19:00:20.000000000 +0100
@@ -1,3 +1,9 @@
+shutter (0.92-0.1+deb8u1) jessie; urgency=high
+
+  * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Tue, 20 Dec 2016 19:00:20 +0100
+
 shutter (0.92-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch shutter-0.92/debian/patches/CVE-2015-0854.patch
--- shutter-0.92/debian/patches/CVE-2015-0854.patch	1970-01-01 01:00:00.000000000 +0100
+++ shutter-0.92/debian/patches/CVE-2015-0854.patch	2016-12-20 18:59:57.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix insecure use of system()
+Author: Luke Faraone <lfaraone@debian.org>
+ID: CVE-2015-0854
+Bug: https://bugs.launchpad.net/shutter/+bug/1495163
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
+
+--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+@@ -53,7 +53,8 @@
+ 
+ sub xdg_open {
+ 	my ( $self, $dialog, $link, $user_data ) = @_;
+-	system("xdg-open $link");
++	my @args = ("xdg-open", $link);
++	system(@args);
+ 	if($?){
+ 		my $response = $self->{_dialogs}->dlg_error_message( 
+ 			sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),
diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series
--- shutter-0.92/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ shutter-0.92/debian/patches/series	2016-12-20 18:40:00.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-0854.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)
Next by Date: Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1
Previous by thread: Processed: release.debian.org: Update Ubuntu patch
Next by thread: Processed: Re: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
Index(es):
- Date
- Thread