Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello release team, CVE-2015-0854[1] hasn't been handled in jessie yet. The security team ACKed to use an upcoming point release for this. The shutter maintainer Ryan Niebur is in Cc:. Find attached a debdiff based on the fixed stretch version 0.93.1-1, the original patch triggered a Perl error. Testing confirmed the described exploit no longer works then. Regards, Christoph [1] https://security-tracker.debian.org/tracker/CVE-2015-0854
diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog --- shutter-0.92/debian/changelog 2014-08-10 17:51:22.000000000 +0200 +++ shutter-0.92/debian/changelog 2016-12-20 19:00:20.000000000 +0100 @@ -1,3 +1,9 @@ +shutter (0.92-0.1+deb8u1) jessie; urgency=high + + * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Tue, 20 Dec 2016 19:00:20 +0100 + shutter (0.92-0.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch shutter-0.92/debian/patches/CVE-2015-0854.patch --- shutter-0.92/debian/patches/CVE-2015-0854.patch 1970-01-01 01:00:00.000000000 +0100 +++ shutter-0.92/debian/patches/CVE-2015-0854.patch 2016-12-20 18:59:57.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Fix insecure use of system() +Author: Luke Faraone <lfaraone@debian.org> +ID: CVE-2015-0854 +Bug: https://bugs.launchpad.net/shutter/+bug/1495163 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862 + +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,7 +53,8 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- system("xdg-open $link"); ++ my @args = ("xdg-open", $link); ++ system(@args); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series --- shutter-0.92/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ shutter-0.92/debian/patches/series 2016-12-20 18:40:00.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-0854.patch
Attachment:
signature.asc
Description: Digital signature