[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#865542: marked as done (jessie-pu: package shutter/0.92-0.1+deb8u1)

Your message dated Sun, 25 Jun 2017 16:30:30 +0200
with message-id <20170625143030.xvfmcvm6qdhytmeu@jadzia.comodo.priv.at>
and subject line Re: Bug#865542: jessie-pu: package shutter/0.92-0.1+deb8u1
has caused the Debian Bug report #865542,
regarding jessie-pu: package shutter/0.92-0.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
865542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu


The attachment is debdiff for shutter to fix CVE-2016-10081 and use
secure system() call in jessie.


-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog
--- shutter-0.92/debian/changelog	2016-12-21 02:00:20.000000000 +0800
+++ shutter-0.92/debian/changelog	2017-06-22 22:49:09.000000000 +0800
@@ -1,3 +1,11 @@
+shutter (0.92-0.1+deb8u2) jessie; urgency=medium
+
+  [ Dominique Dumont ]
+  * add patch to fix CVE-2016-10081 (Closes: #849777)
+  * add patch to secure system() calls
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Thu, 22 Jun 2017 22:49:09 +0800
+
 shutter (0.92-0.1+deb8u1) jessie; urgency=high
 
   * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
diff -Nru shutter-0.92/debian/patches/CVE-2016-10081.patch shutter-0.92/debian/patches/CVE-2016-10081.patch
--- shutter-0.92/debian/patches/CVE-2016-10081.patch	1970-01-01 08:00:00.000000000 +0800
+++ shutter-0.92/debian/patches/CVE-2016-10081.patch	2017-06-22 22:49:09.000000000 +0800
@@ -0,0 +1,42 @@
+Bug: https://bugs.launchpad.net/shutter/+bug/1652600
+Bug-Debian: https://bugs.debian.org/849777
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Description: fix insecure use of perl exec()
+ The patch attached uses the multi-argument invocation and also changes
+ it in the code path for non-Perl plugins.
+--- a/bin/shutter
++++ b/bin/shutter
+@@ -7159,8 +7159,13 @@
+             elsif ( $pid == 0 ) {
+ 
+                 #see Bug #661424
+-                my $qfilename = quotemeta $session_screens{$key}->{'long'};
+-                exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
++                #my $qfilename = quotemeta $session_screens{$key}->{'long'};
++                exec( $^X, $plugin_value,
++                    $socket->get_id,
++                    $session_screens{$key}->{'long'},
++                    $session_screens{$key}->{'width'},
++                    $session_screens{$key}->{'height'},
++                    $session_screens{$key}->{'filetype'} );
+             }
+ 
+             $sdialog->show_all;
+@@ -7193,11 +7198,15 @@
+             my $plugin_process = Proc::Simple->new;
+ 
+             #see Bug #661424
+-            my $qfilename = quotemeta $session_screens{$key}->{'long'};
++            #my $qfilename = quotemeta $session_screens{$key}->{'long'};
+ 
+             $plugin_process->start(
+                 sub {
+-                    system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' ");
++                    system( $plugin_value,
++                        $session_screens{$key}->{'long'},
++                        $session_screens{$key}->{'width'},
++                        $session_screens{$key}->{'height'},
++                        $session_screens{$key}->{'filetype'} );
+                     POSIX::_exit(0);
+                 }
+             );
diff -Nru shutter-0.92/debian/patches/fix-perl-system-calls shutter-0.92/debian/patches/fix-perl-system-calls
--- shutter-0.92/debian/patches/fix-perl-system-calls	1970-01-01 08:00:00.000000000 +0800
+++ shutter-0.92/debian/patches/fix-perl-system-calls	2017-06-22 22:49:09.000000000 +0800
@@ -0,0 +1,268 @@
+Author: dod
+Description: Fix perl system calls
+ This patch replaces all system("big string") calls to 
+ system(@big_list) in all plugins to avoid problems similar to CVE-2016-10081.
+--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
+@@ -349,9 +349,6 @@
+ 
+ sub apply_effect {
+ 
+-	#quote filename
+-	my $qfilename = quotemeta $filename;
+-
+ 	if ( $use_caption ) {
+ 
+ 		my $text = $caption_entry->get_text;
+@@ -360,27 +357,32 @@
+ 		$text = quotemeta $text;
+ 
+ 		my $color = $stroke_color->get_color;
+-			
+-		system( "convert -caption "
+-				. $text
+-				. " -fill '"
+-				. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha )
+-				. "' $qfilename -pointsize "
+-				. $pointsize_sbutton->get_value
+-				. " -gravity "
+-				. $gravity_combo->get_active_text
+-				. "  -bordercolor snow "
+-				. " -background black "
+-				. " -polaroid "
+-				. $angle_sbutton->get_value
+-				. " $tmpfilename" );
+-				
++
++		system(
++            convert =>
++            -caption => $text,
++            -fill => sprintf( "#%04x%04x%04x%04x",
++                              $color->red,
++                              $color->green,
++                              $color->blue,
++                              $stroke_color->get_alpha
++                          ),
++            $filename,
++            -pointsize => $pointsize_sbutton->get_value,
++            -gravity => $gravity_combo->get_active_text,
++            qw/-bordercolor snow -background black/,
++            -polaroid => $angle_sbutton->get_value,
++            $tmpfilename
++        );
+ 	} else {
+-		
+-		system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate "
+-				. $angle_sbutton->get_value
+-				. " -background  black  \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" );
+-	
++		system(
++            convert => $filename,
++            qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/,
++            -rotate => $angle_sbutton->get_value,
++            -background => 'black',
++            qw/( +clone -shadow 60x4+4+4 ) +swap -background none/,
++            -flatten => $tmpfilename
++        );
+ 	}
+ 
+ }
+--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
+@@ -342,33 +342,27 @@
+ 	$text = strftime $text, localtime;
+ 	$text = quotemeta $text;
+ 
+-	#quote filename
+-	my $qfilename = quotemeta $filename;
+-
+ 	my $psize = $pointsize_sbutton->get_value;
+ 
+ 	my $color = $stroke_color->get_color;
+ 
+-	#execute imagemagick command		
+-	system(   "convert "
+-			. "-background '#00000000'" 
+-			. " -fill '"
+-			. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha )
+-			. "' -pointsize "
+-			. $psize
+-			. " -gravity "
+-			. $gravity_combo->get_active_text
+-			. " -rotate "
+-			. $angle_sbutton->get_value
+-			. " label:"
+-			. $text
+-			. " $tmpfilename" );
+-			
+-	system("composite $tmpfilename"		
+-			. " -gravity "
+-			. $gravity_combo->get_active_text
+-			. " $qfilename"
+-			. " $tmpfilename2" );
++	#execute imagemagick command
++	system(
++        convert =>
++        -background => '#00000000',
++        -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ),
++        -pointsize => $psize,
++        -gravity => $gravity_combo->get_active_text,
++        -rotate => $angle_sbutton->get_value,
++        "label:$text",
++        $tmpfilename
++    );
++
++	system(
++        composite => $tmpfilename,
++        -gravity => $gravity_combo->get_active_text,
++        $filename => $tmpfilename2
++    );
+ 
+ }
+ 
+--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow
++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow
+@@ -368,24 +368,22 @@
+ 		$direction2 = "80x3-1-1";
+ 	}
+ 
+-	#quote filename
+-	my $qfilename = quotemeta $filename;
+-	
+-	#execute imagemagick command		
+-	system( "convert"
+-			. " $qfilename"
+-			. " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10"
+-			. " \\( +clone -background '"
+-			. sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha )
+-			. "' -shadow "
+-			. $direction2
+-			. " \\) +swap -background none -mosaic +repage"
+-			. " \\( +clone -background '"
+-			. sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha )
+-			. "' -shadow "
+-			. $direction1
+-			. " \\) +swap -background none -mosaic +repage"
+-			. " $tmpfilename" );
++	#execute imagemagick command
++	system(
++        convert => $filename,
++        -gravity => 'northwest',
++        -background => 'rgba(255,255,255,0)',
++        -splice => '10x10',
++        qw/( +clone/,
++        -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ),
++        -shadow => $direction2,
++        qw/) +swap -background none -mosaic +repage/,
++        qw/( +clone/,
++        -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ),
++        -shadow => $direction1,
++        qw/) +swap -background none -mosaic +repage/,
++        $tmpfilename
++    );
+ 
+ }
+ 
+--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
++++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
+@@ -386,24 +386,13 @@
+ 
+ 	my $color = $back_color->get_color;
+ 
+-	#quote filename
+-	my $qfilename = quotemeta $filename;
+-
+ 	#execute imagemagick command		
+-	system(   "convert"
+-			. " -virtual-pixel Background -background '"
+-			. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha )
+-			. "' -distort Barrel '"
+-			. $c1_sbutton->get_value
+-			. " "
+-			. $c2_sbutton->get_value
+-			. " "
+-			. $c3_sbutton->get_value
+-			. " "
+-			. $c4_sbutton->get_value														
+-			. "' $qfilename"
+-			. " $tmpfilename" );
+-												
++	system (
++        qw/convert -virtual-pixel Background/,
++        -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ),
++        -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value),
++        $filename, $tmpfilename
++    );
+ }
+ 
+ sub fct_update_gui {
+--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
+@@ -69,7 +69,13 @@
+ 		$self->{_url} = "http://".$self->{_url};
+ 	}
+ 	
+-	system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'");
++	system(
++        'gnome-web-photo',
++        '--timeout='.$self->{_timeout},
++        '--mode=photo',
++        '--width='.$self->{_width},
++        $self->{_url}, $self->{_dest_filename}
++    );
+ 	
+ 	return TRUE;
+ }
+--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+@@ -53,8 +53,7 @@
+ 
+ sub xdg_open {
+ 	my ( $self, $dialog, $link, $user_data ) = @_;
+-	my @args = ("xdg-open", $link);
+-	system(@args);
++	system("xdg-open", $link);
+ 	if($?){
+ 		my $response = $self->{_dialogs}->dlg_error_message( 
+ 			sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),
+@@ -67,8 +66,12 @@
+ }
+ 
+ sub xdg_open_mail {
+-	my ( $self, $dialog, $mail, $user_data ) = @_;
+-	system("xdg-email $mail $user_data");
++	my ( $self, $dialog, $mail, @user_data ) = @_;
++
++    my @cmd = 'xdg-email';
++    push @cmd, $mail if $mail;
++	system(@cmd, @user_data);
++
+ 	if($?){
+ 		my $response = $self->{_dialogs}->dlg_error_message( 
+ 			sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"),
+@@ -82,7 +85,7 @@
+ 
+ sub nautilus_sendto {
+ 	my ( $self, $user_data ) = @_;
+-	system("nautilus-sendto $user_data &");
++	system('nautilus-sendto', $user_data);
+ 	if($?){
+ 		my $response = $self->{_dialogs}->dlg_error_message( 
+ 			sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"),
+--- a/bin/shutter
++++ b/bin/shutter
+@@ -6967,12 +6967,9 @@
+             push( @files_to_email, $session_screens{$key}->{'uri'}->to_string );
+         }
+ 
+-        my $mail_string = undef;
+-        foreach my $email_filename (@files_to_email) {
+-            $mail_string .= "--attach '$email_filename' ";
+-        }
++        my @mail_args = map { ( '--attach' => $_ ) } @files_to_email;
+ 
+-        $shf->xdg_open_mail( undef, undef, $mail_string );
++        $shf->xdg_open_mail( undef, undef, @mail_args );
+ 
+         return TRUE;
+     }
diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series
--- shutter-0.92/debian/patches/series	2016-12-21 02:00:20.000000000 +0800
+++ shutter-0.92/debian/patches/series	2017-06-22 22:49:09.000000000 +0800
@@ -1 +1,3 @@
 CVE-2015-0854.patch
+CVE-2016-10081.patch
+fix-perl-system-calls

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
On Sun, 25 Jun 2017 22:23:19 +0800, ChangZhuo Chen (陳昌倬) wrote:

> On Sun, Jun 25, 2017 at 04:16:01PM +0200, Salvatore Bonaccorso wrote:
> > There is as well a pending jessie-pu from gregor herrmann, in #863049
> > whith at least both wanting to address CVE-2016-10081.
> We can drop this one since the only thing I do is to send gregor
> herrmann's work in git repo.

Ok, closing the bug.

The interesting thing about git is that I did push my proposed
upload, and git shows it (the "jessie"/"remotes/origin/jessie"
branch):

% git branch -va
  debian/experimental                e918e34 Update changelog
  jessie                             87dcb7a update changelog
* master                             47bc0e9 Update changelog
  pristine-tar                       ed4cb0d pristine-tar data for shutter_0.92.orig.tar.gz
  upstream                           ea65750 Imported Upstream version 0.93.1
  remotes/origin/HEAD                -> origin/master
  remotes/origin/debian/experimental e918e34 Update changelog
  remotes/origin/debian/jessie       3c70fce Update changelog
  remotes/origin/debian/wheezy       08f78e8 Import Debian changes 0.88.3-1+deb7u1
  remotes/origin/jessie              87dcb7a update changelog
  remotes/origin/master              47bc0e9 Update changelog
  remotes/origin/pristine-tar        ed4cb0d pristine-tar data for shutter_0.92.orig.tar.gz
  remotes/origin/upstream            ea65750 Imported Upstream version 0.93.1


For some reason, the cgit web frontend on alioth ignores it:
https://anonscm.debian.org/git/pkg-perl/packages/shutter.git


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Nick Cave And The Bad Seeds: Nature Boy

Attachment: signature.asc
Description: Digital Signature


--- End Message ---
Reply to: