Your message dated Sun, 25 Jun 2017 16:30:30 +0200 with message-id <20170625143030.xvfmcvm6qdhytmeu@jadzia.comodo.priv.at> and subject line Re: Bug#865542: jessie-pu: package shutter/0.92-0.1+deb8u1 has caused the Debian Bug report #865542, regarding jessie-pu: package shutter/0.92-0.1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 865542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865542 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package shutter/0.92-0.1+deb8u1
- From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
- Date: Thu, 22 Jun 2017 22:56:12 +0800
- Message-id: <[🔎] 20170622145612.quqftouqlaesoz65@gmail.com>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu The attachment is debdiff for shutter to fix CVE-2016-10081 and use secure system() call in jessie. -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org http://czchen.info/ Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5Bdiff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog --- shutter-0.92/debian/changelog 2016-12-21 02:00:20.000000000 +0800 +++ shutter-0.92/debian/changelog 2017-06-22 22:49:09.000000000 +0800 @@ -1,3 +1,11 @@ +shutter (0.92-0.1+deb8u2) jessie; urgency=medium + + [ Dominique Dumont ] + * add patch to fix CVE-2016-10081 (Closes: #849777) + * add patch to secure system() calls + + -- ChangZhuo Chen (陳昌倬) <czchen@debian.org> Thu, 22 Jun 2017 22:49:09 +0800 + shutter (0.92-0.1+deb8u1) jessie; urgency=high * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] diff -Nru shutter-0.92/debian/patches/CVE-2016-10081.patch shutter-0.92/debian/patches/CVE-2016-10081.patch --- shutter-0.92/debian/patches/CVE-2016-10081.patch 1970-01-01 08:00:00.000000000 +0800 +++ shutter-0.92/debian/patches/CVE-2016-10081.patch 2017-06-22 22:49:09.000000000 +0800 @@ -0,0 +1,42 @@ +Bug: https://bugs.launchpad.net/shutter/+bug/1652600 +Bug-Debian: https://bugs.debian.org/849777 +Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de> +Description: fix insecure use of perl exec() + The patch attached uses the multi-argument invocation and also changes + it in the code path for non-Perl plugins. +--- a/bin/shutter ++++ b/bin/shutter +@@ -7159,8 +7159,13 @@ + elsif ( $pid == 0 ) { + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; +- exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ exec( $^X, $plugin_value, ++ $socket->get_id, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + } + + $sdialog->show_all; +@@ -7193,11 +7198,15 @@ + my $plugin_process = Proc::Simple->new; + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; + + $plugin_process->start( + sub { +- system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' "); ++ system( $plugin_value, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + POSIX::_exit(0); + } + ); diff -Nru shutter-0.92/debian/patches/fix-perl-system-calls shutter-0.92/debian/patches/fix-perl-system-calls --- shutter-0.92/debian/patches/fix-perl-system-calls 1970-01-01 08:00:00.000000000 +0800 +++ shutter-0.92/debian/patches/fix-perl-system-calls 2017-06-22 22:49:09.000000000 +0800 @@ -0,0 +1,268 @@ +Author: dod +Description: Fix perl system calls + This patch replaces all system("big string") calls to + system(@big_list) in all plugins to avoid problems similar to CVE-2016-10081. +--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid ++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid +@@ -349,9 +349,6 @@ + + sub apply_effect { + +- #quote filename +- my $qfilename = quotemeta $filename; +- + if ( $use_caption ) { + + my $text = $caption_entry->get_text; +@@ -360,27 +357,32 @@ + $text = quotemeta $text; + + my $color = $stroke_color->get_color; +- +- system( "convert -caption " +- . $text +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' $qfilename -pointsize " +- . $pointsize_sbutton->get_value +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -bordercolor snow " +- . " -background black " +- . " -polaroid " +- . $angle_sbutton->get_value +- . " $tmpfilename" ); +- ++ ++ system( ++ convert => ++ -caption => $text, ++ -fill => sprintf( "#%04x%04x%04x%04x", ++ $color->red, ++ $color->green, ++ $color->blue, ++ $stroke_color->get_alpha ++ ), ++ $filename, ++ -pointsize => $pointsize_sbutton->get_value, ++ -gravity => $gravity_combo->get_active_text, ++ qw/-bordercolor snow -background black/, ++ -polaroid => $angle_sbutton->get_value, ++ $tmpfilename ++ ); + } else { +- +- system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate " +- . $angle_sbutton->get_value +- . " -background black \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" ); +- ++ system( ++ convert => $filename, ++ qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/, ++ -rotate => $angle_sbutton->get_value, ++ -background => 'black', ++ qw/( +clone -shadow 60x4+4+4 ) +swap -background none/, ++ -flatten => $tmpfilename ++ ); + } + + } +--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark ++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark +@@ -342,33 +342,27 @@ + $text = strftime $text, localtime; + $text = quotemeta $text; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + my $psize = $pointsize_sbutton->get_value; + + my $color = $stroke_color->get_color; + +- #execute imagemagick command +- system( "convert " +- . "-background '#00000000'" +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' -pointsize " +- . $psize +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -rotate " +- . $angle_sbutton->get_value +- . " label:" +- . $text +- . " $tmpfilename" ); +- +- system("composite $tmpfilename" +- . " -gravity " +- . $gravity_combo->get_active_text +- . " $qfilename" +- . " $tmpfilename2" ); ++ #execute imagemagick command ++ system( ++ convert => ++ -background => '#00000000', ++ -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ), ++ -pointsize => $psize, ++ -gravity => $gravity_combo->get_active_text, ++ -rotate => $angle_sbutton->get_value, ++ "label:$text", ++ $tmpfilename ++ ); ++ ++ system( ++ composite => $tmpfilename, ++ -gravity => $gravity_combo->get_active_text, ++ $filename => $tmpfilename2 ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow ++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow +@@ -368,24 +368,22 @@ + $direction2 = "80x3-1-1"; + } + +- #quote filename +- my $qfilename = quotemeta $filename; +- +- #execute imagemagick command +- system( "convert" +- . " $qfilename" +- . " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction2 +- . " \\) +swap -background none -mosaic +repage" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction1 +- . " \\) +swap -background none -mosaic +repage" +- . " $tmpfilename" ); ++ #execute imagemagick command ++ system( ++ convert => $filename, ++ -gravity => 'northwest', ++ -background => 'rgba(255,255,255,0)', ++ -splice => '10x10', ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction2, ++ qw/) +swap -background none -mosaic +repage/, ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction1, ++ qw/) +swap -background none -mosaic +repage/, ++ $tmpfilename ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion ++++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion +@@ -386,24 +386,13 @@ + + my $color = $back_color->get_color; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + #execute imagemagick command +- system( "convert" +- . " -virtual-pixel Background -background '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ) +- . "' -distort Barrel '" +- . $c1_sbutton->get_value +- . " " +- . $c2_sbutton->get_value +- . " " +- . $c3_sbutton->get_value +- . " " +- . $c4_sbutton->get_value +- . "' $qfilename" +- . " $tmpfilename" ); +- ++ system ( ++ qw/convert -virtual-pixel Background/, ++ -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ), ++ -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value), ++ $filename, $tmpfilename ++ ); + } + + sub fct_update_gui { +--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm ++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm +@@ -69,7 +69,13 @@ + $self->{_url} = "http://".$self->{_url}; + } + +- system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'"); ++ system( ++ 'gnome-web-photo', ++ '--timeout='.$self->{_timeout}, ++ '--mode=photo', ++ '--width='.$self->{_width}, ++ $self->{_url}, $self->{_dest_filename} ++ ); + + return TRUE; + } +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,8 +53,7 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- my @args = ("xdg-open", $link); +- system(@args); ++ system("xdg-open", $link); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), +@@ -67,8 +66,12 @@ + } + + sub xdg_open_mail { +- my ( $self, $dialog, $mail, $user_data ) = @_; +- system("xdg-email $mail $user_data"); ++ my ( $self, $dialog, $mail, @user_data ) = @_; ++ ++ my @cmd = 'xdg-email'; ++ push @cmd, $mail if $mail; ++ system(@cmd, @user_data); ++ + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"), +@@ -82,7 +85,7 @@ + + sub nautilus_sendto { + my ( $self, $user_data ) = @_; +- system("nautilus-sendto $user_data &"); ++ system('nautilus-sendto', $user_data); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"), +--- a/bin/shutter ++++ b/bin/shutter +@@ -6967,12 +6967,9 @@ + push( @files_to_email, $session_screens{$key}->{'uri'}->to_string ); + } + +- my $mail_string = undef; +- foreach my $email_filename (@files_to_email) { +- $mail_string .= "--attach '$email_filename' "; +- } ++ my @mail_args = map { ( '--attach' => $_ ) } @files_to_email; + +- $shf->xdg_open_mail( undef, undef, $mail_string ); ++ $shf->xdg_open_mail( undef, undef, @mail_args ); + + return TRUE; + } diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series --- shutter-0.92/debian/patches/series 2016-12-21 02:00:20.000000000 +0800 +++ shutter-0.92/debian/patches/series 2017-06-22 22:49:09.000000000 +0800 @@ -1 +1,3 @@ CVE-2015-0854.patch +CVE-2016-10081.patch +fix-perl-system-callsAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
- Cc: Salvatore Bonaccorso <carnil@debian.org>, 865542-done@bugs.debian.org
- Subject: Re: Bug#865542: jessie-pu: package shutter/0.92-0.1+deb8u1
- From: gregor herrmann <gregoa@debian.org>
- Date: Sun, 25 Jun 2017 16:30:30 +0200
- Message-id: <20170625143030.xvfmcvm6qdhytmeu@jadzia.comodo.priv.at>
- In-reply-to: <[🔎] 20170625142319.djqfp2ky4bz6yuxc@gmail.com>
- References: <[🔎] 20170622145612.quqftouqlaesoz65@gmail.com> <[🔎] 20170625141601.mhjhlexxyxazqtxj@eldamar.local> <[🔎] 20170625142319.djqfp2ky4bz6yuxc@gmail.com>
On Sun, 25 Jun 2017 22:23:19 +0800, ChangZhuo Chen (陳昌倬) wrote: > On Sun, Jun 25, 2017 at 04:16:01PM +0200, Salvatore Bonaccorso wrote: > > There is as well a pending jessie-pu from gregor herrmann, in #863049 > > whith at least both wanting to address CVE-2016-10081. > We can drop this one since the only thing I do is to send gregor > herrmann's work in git repo. Ok, closing the bug. The interesting thing about git is that I did push my proposed upload, and git shows it (the "jessie"/"remotes/origin/jessie" branch): % git branch -va debian/experimental e918e34 Update changelog jessie 87dcb7a update changelog * master 47bc0e9 Update changelog pristine-tar ed4cb0d pristine-tar data for shutter_0.92.orig.tar.gz upstream ea65750 Imported Upstream version 0.93.1 remotes/origin/HEAD -> origin/master remotes/origin/debian/experimental e918e34 Update changelog remotes/origin/debian/jessie 3c70fce Update changelog remotes/origin/debian/wheezy 08f78e8 Import Debian changes 0.88.3-1+deb7u1 remotes/origin/jessie 87dcb7a update changelog remotes/origin/master 47bc0e9 Update changelog remotes/origin/pristine-tar ed4cb0d pristine-tar data for shutter_0.92.orig.tar.gz remotes/origin/upstream ea65750 Imported Upstream version 0.93.1 For some reason, the cgit web frontend on alioth ignores it: https://anonscm.debian.org/git/pkg-perl/packages/shutter.git Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Nick Cave And The Bad Seeds: Nature BoyAttachment: signature.asc
Description: Digital Signature
--- End Message ---