Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu The attachment is debdiff for shutter to fix CVE-2016-10081 and use secure system() call in jessie. -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org http://czchen.info/ Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog --- shutter-0.92/debian/changelog 2016-12-21 02:00:20.000000000 +0800 +++ shutter-0.92/debian/changelog 2017-06-22 22:49:09.000000000 +0800 @@ -1,3 +1,11 @@ +shutter (0.92-0.1+deb8u2) jessie; urgency=medium + + [ Dominique Dumont ] + * add patch to fix CVE-2016-10081 (Closes: #849777) + * add patch to secure system() calls + + -- ChangZhuo Chen (陳昌倬) <czchen@debian.org> Thu, 22 Jun 2017 22:49:09 +0800 + shutter (0.92-0.1+deb8u1) jessie; urgency=high * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] diff -Nru shutter-0.92/debian/patches/CVE-2016-10081.patch shutter-0.92/debian/patches/CVE-2016-10081.patch --- shutter-0.92/debian/patches/CVE-2016-10081.patch 1970-01-01 08:00:00.000000000 +0800 +++ shutter-0.92/debian/patches/CVE-2016-10081.patch 2017-06-22 22:49:09.000000000 +0800 @@ -0,0 +1,42 @@ +Bug: https://bugs.launchpad.net/shutter/+bug/1652600 +Bug-Debian: https://bugs.debian.org/849777 +Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de> +Description: fix insecure use of perl exec() + The patch attached uses the multi-argument invocation and also changes + it in the code path for non-Perl plugins. +--- a/bin/shutter ++++ b/bin/shutter +@@ -7159,8 +7159,13 @@ + elsif ( $pid == 0 ) { + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; +- exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ exec( $^X, $plugin_value, ++ $socket->get_id, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + } + + $sdialog->show_all; +@@ -7193,11 +7198,15 @@ + my $plugin_process = Proc::Simple->new; + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; + + $plugin_process->start( + sub { +- system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' "); ++ system( $plugin_value, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + POSIX::_exit(0); + } + ); diff -Nru shutter-0.92/debian/patches/fix-perl-system-calls shutter-0.92/debian/patches/fix-perl-system-calls --- shutter-0.92/debian/patches/fix-perl-system-calls 1970-01-01 08:00:00.000000000 +0800 +++ shutter-0.92/debian/patches/fix-perl-system-calls 2017-06-22 22:49:09.000000000 +0800 @@ -0,0 +1,268 @@ +Author: dod +Description: Fix perl system calls + This patch replaces all system("big string") calls to + system(@big_list) in all plugins to avoid problems similar to CVE-2016-10081. +--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid ++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid +@@ -349,9 +349,6 @@ + + sub apply_effect { + +- #quote filename +- my $qfilename = quotemeta $filename; +- + if ( $use_caption ) { + + my $text = $caption_entry->get_text; +@@ -360,27 +357,32 @@ + $text = quotemeta $text; + + my $color = $stroke_color->get_color; +- +- system( "convert -caption " +- . $text +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' $qfilename -pointsize " +- . $pointsize_sbutton->get_value +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -bordercolor snow " +- . " -background black " +- . " -polaroid " +- . $angle_sbutton->get_value +- . " $tmpfilename" ); +- ++ ++ system( ++ convert => ++ -caption => $text, ++ -fill => sprintf( "#%04x%04x%04x%04x", ++ $color->red, ++ $color->green, ++ $color->blue, ++ $stroke_color->get_alpha ++ ), ++ $filename, ++ -pointsize => $pointsize_sbutton->get_value, ++ -gravity => $gravity_combo->get_active_text, ++ qw/-bordercolor snow -background black/, ++ -polaroid => $angle_sbutton->get_value, ++ $tmpfilename ++ ); + } else { +- +- system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate " +- . $angle_sbutton->get_value +- . " -background black \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" ); +- ++ system( ++ convert => $filename, ++ qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/, ++ -rotate => $angle_sbutton->get_value, ++ -background => 'black', ++ qw/( +clone -shadow 60x4+4+4 ) +swap -background none/, ++ -flatten => $tmpfilename ++ ); + } + + } +--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark ++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark +@@ -342,33 +342,27 @@ + $text = strftime $text, localtime; + $text = quotemeta $text; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + my $psize = $pointsize_sbutton->get_value; + + my $color = $stroke_color->get_color; + +- #execute imagemagick command +- system( "convert " +- . "-background '#00000000'" +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' -pointsize " +- . $psize +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -rotate " +- . $angle_sbutton->get_value +- . " label:" +- . $text +- . " $tmpfilename" ); +- +- system("composite $tmpfilename" +- . " -gravity " +- . $gravity_combo->get_active_text +- . " $qfilename" +- . " $tmpfilename2" ); ++ #execute imagemagick command ++ system( ++ convert => ++ -background => '#00000000', ++ -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ), ++ -pointsize => $psize, ++ -gravity => $gravity_combo->get_active_text, ++ -rotate => $angle_sbutton->get_value, ++ "label:$text", ++ $tmpfilename ++ ); ++ ++ system( ++ composite => $tmpfilename, ++ -gravity => $gravity_combo->get_active_text, ++ $filename => $tmpfilename2 ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow ++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow +@@ -368,24 +368,22 @@ + $direction2 = "80x3-1-1"; + } + +- #quote filename +- my $qfilename = quotemeta $filename; +- +- #execute imagemagick command +- system( "convert" +- . " $qfilename" +- . " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction2 +- . " \\) +swap -background none -mosaic +repage" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction1 +- . " \\) +swap -background none -mosaic +repage" +- . " $tmpfilename" ); ++ #execute imagemagick command ++ system( ++ convert => $filename, ++ -gravity => 'northwest', ++ -background => 'rgba(255,255,255,0)', ++ -splice => '10x10', ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction2, ++ qw/) +swap -background none -mosaic +repage/, ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction1, ++ qw/) +swap -background none -mosaic +repage/, ++ $tmpfilename ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion ++++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion +@@ -386,24 +386,13 @@ + + my $color = $back_color->get_color; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + #execute imagemagick command +- system( "convert" +- . " -virtual-pixel Background -background '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ) +- . "' -distort Barrel '" +- . $c1_sbutton->get_value +- . " " +- . $c2_sbutton->get_value +- . " " +- . $c3_sbutton->get_value +- . " " +- . $c4_sbutton->get_value +- . "' $qfilename" +- . " $tmpfilename" ); +- ++ system ( ++ qw/convert -virtual-pixel Background/, ++ -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ), ++ -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value), ++ $filename, $tmpfilename ++ ); + } + + sub fct_update_gui { +--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm ++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm +@@ -69,7 +69,13 @@ + $self->{_url} = "http://".$self->{_url}; + } + +- system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'"); ++ system( ++ 'gnome-web-photo', ++ '--timeout='.$self->{_timeout}, ++ '--mode=photo', ++ '--width='.$self->{_width}, ++ $self->{_url}, $self->{_dest_filename} ++ ); + + return TRUE; + } +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,8 +53,7 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- my @args = ("xdg-open", $link); +- system(@args); ++ system("xdg-open", $link); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), +@@ -67,8 +66,12 @@ + } + + sub xdg_open_mail { +- my ( $self, $dialog, $mail, $user_data ) = @_; +- system("xdg-email $mail $user_data"); ++ my ( $self, $dialog, $mail, @user_data ) = @_; ++ ++ my @cmd = 'xdg-email'; ++ push @cmd, $mail if $mail; ++ system(@cmd, @user_data); ++ + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"), +@@ -82,7 +85,7 @@ + + sub nautilus_sendto { + my ( $self, $user_data ) = @_; +- system("nautilus-sendto $user_data &"); ++ system('nautilus-sendto', $user_data); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"), +--- a/bin/shutter ++++ b/bin/shutter +@@ -6967,12 +6967,9 @@ + push( @files_to_email, $session_screens{$key}->{'uri'}->to_string ); + } + +- my $mail_string = undef; +- foreach my $email_filename (@files_to_email) { +- $mail_string .= "--attach '$email_filename' "; +- } ++ my @mail_args = map { ( '--attach' => $_ ) } @files_to_email; + +- $shf->xdg_open_mail( undef, undef, $mail_string ); ++ $shf->xdg_open_mail( undef, undef, @mail_args ); + + return TRUE; + } diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series --- shutter-0.92/debian/patches/series 2016-12-21 02:00:20.000000000 +0800 +++ shutter-0.92/debian/patches/series 2017-06-22 22:49:09.000000000 +0800 @@ -1 +1,3 @@ CVE-2015-0854.patch +CVE-2016-10081.patch +fix-perl-system-calls
Attachment:
signature.asc
Description: PGP signature