Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I've prepared an upload of shutter for stable. The new version includes two patches: - - one fixing CVE-2016-10081 / #849777 - - another one which dod uploaded together with this one as 0.93.1-1.3 in January which is also security relevant (replaces system("string") with system(@array)). Full debdiff attached. Cheers, gregor -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlkgqZJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgbWNA/8DPTaKOesYQ4tMjj580foTMqUu+G3qEk/UgqFhkhAFNoBXRJKVPiF4tkL V10CgEpEySMee18bVLSk08nWb0NJmuP8OSlcw43nspI2nRZIum7Vnsyf9rhOEd2o 0SzW8Z1/cNsRWhgy2UP5esinZmu9/djJBmSfc5E7bzH3tIYHc0H2wfnhys3uYOLk yyoCZf5u1JA/cTFRcIgGmX60PhrtZMPRtN3x63JYKCOqGPR4rBrb9aii4etKetEh lXMj8hF2ZShnJDXTXuI+rtq5i3KPuAhBr5bjqXuQJ4g2C8L1KHG9HYQB5XZNaafn 7oOa39fQXVA52hf/WBM6y+YICkO2EuVS+6bNcEJfWQaQN19NX/YdpkkzxCyuv3/Q rMNRHt9B3tZDeD99tGhvG8RbKyZbfbML+xfcOELLXNZhf+LjWb6hE4rtLJUirgB6 7FmiQwvOLPZc1tHXjLGEC6cvUt7jI95ZOCiQc/OtxrWPmRmJH88mYQJP1EQA0+gm RBQf6PlDvKMN+9/zPZxhK4lZbuQz6NN27B1De9f5kB2hESQphzCBpVqSs4ytsekc hGYGFt98igVGrZo244Of3FOSCZd0fxFCzaxOm0R2op/Z+AQgMmhiPY+0bO2fWYTc dkbLqtxwNZQEh3vesb08NN1bZUeXRshybi85g9TIam5QQBKFs64= =KPfu -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index 009a696..af656ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +shutter (0.92-0.1+deb8u2) UNRELEASED; urgency=medium + + [ Dominique Dumont ] + * add patch to fix CVE-2016-10081 (Closes: #849777) + * add patch to secure system() calls + + -- gregor herrmann <gre...@debian.org> Sat, 20 May 2017 22:30:53 +0200 + shutter (0.92-0.1+deb8u1) jessie; urgency=high * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] diff --git a/debian/patches/CVE-2016-10081.patch b/debian/patches/CVE-2016-10081.patch new file mode 100644 index 0000000..edd2ff8 --- /dev/null +++ b/debian/patches/CVE-2016-10081.patch @@ -0,0 +1,42 @@ +Bug: https://bugs.launchpad.net/shutter/+bug/1652600 +Bug-Debian: https://bugs.debian.org/849777 +Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de> +Description: fix insecure use of perl exec() + The patch attached uses the multi-argument invocation and also changes + it in the code path for non-Perl plugins. +--- a/bin/shutter ++++ b/bin/shutter +@@ -7159,8 +7159,13 @@ + elsif ( $pid == 0 ) { + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; +- exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) ); ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ exec( $^X, $plugin_value, ++ $socket->get_id, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + } + + $sdialog->show_all; +@@ -7193,11 +7198,15 @@ + my $plugin_process = Proc::Simple->new; + + #see Bug #661424 +- my $qfilename = quotemeta $session_screens{$key}->{'long'}; ++ #my $qfilename = quotemeta $session_screens{$key}->{'long'}; + + $plugin_process->start( + sub { +- system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' "); ++ system( $plugin_value, ++ $session_screens{$key}->{'long'}, ++ $session_screens{$key}->{'width'}, ++ $session_screens{$key}->{'height'}, ++ $session_screens{$key}->{'filetype'} ); + POSIX::_exit(0); + } + ); diff --git a/debian/patches/fix-perl-system-calls b/debian/patches/fix-perl-system-calls new file mode 100644 index 0000000..6de4ac5 --- /dev/null +++ b/debian/patches/fix-perl-system-calls @@ -0,0 +1,268 @@ +Author: dod +Description: Fix perl system calls + This patch replaces all system("big string") calls to + system(@big_list) in all plugins to avoid problems similar to CVE-2016-10081. +--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid ++++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid +@@ -349,9 +349,6 @@ + + sub apply_effect { + +- #quote filename +- my $qfilename = quotemeta $filename; +- + if ( $use_caption ) { + + my $text = $caption_entry->get_text; +@@ -360,27 +357,32 @@ + $text = quotemeta $text; + + my $color = $stroke_color->get_color; +- +- system( "convert -caption " +- . $text +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' $qfilename -pointsize " +- . $pointsize_sbutton->get_value +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -bordercolor snow " +- . " -background black " +- . " -polaroid " +- . $angle_sbutton->get_value +- . " $tmpfilename" ); +- ++ ++ system( ++ convert => ++ -caption => $text, ++ -fill => sprintf( "#%04x%04x%04x%04x", ++ $color->red, ++ $color->green, ++ $color->blue, ++ $stroke_color->get_alpha ++ ), ++ $filename, ++ -pointsize => $pointsize_sbutton->get_value, ++ -gravity => $gravity_combo->get_active_text, ++ qw/-bordercolor snow -background black/, ++ -polaroid => $angle_sbutton->get_value, ++ $tmpfilename ++ ); + } else { +- +- system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate " +- . $angle_sbutton->get_value +- . " -background black \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" ); +- ++ system( ++ convert => $filename, ++ qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/, ++ -rotate => $angle_sbutton->get_value, ++ -background => 'black', ++ qw/( +clone -shadow 60x4+4+4 ) +swap -background none/, ++ -flatten => $tmpfilename ++ ); + } + + } +--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark ++++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark +@@ -342,33 +342,27 @@ + $text = strftime $text, localtime; + $text = quotemeta $text; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + my $psize = $pointsize_sbutton->get_value; + + my $color = $stroke_color->get_color; + +- #execute imagemagick command +- system( "convert " +- . "-background '#00000000'" +- . " -fill '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ) +- . "' -pointsize " +- . $psize +- . " -gravity " +- . $gravity_combo->get_active_text +- . " -rotate " +- . $angle_sbutton->get_value +- . " label:" +- . $text +- . " $tmpfilename" ); +- +- system("composite $tmpfilename" +- . " -gravity " +- . $gravity_combo->get_active_text +- . " $qfilename" +- . " $tmpfilename2" ); ++ #execute imagemagick command ++ system( ++ convert => ++ -background => '#00000000', ++ -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ), ++ -pointsize => $psize, ++ -gravity => $gravity_combo->get_active_text, ++ -rotate => $angle_sbutton->get_value, ++ "label:$text", ++ $tmpfilename ++ ); ++ ++ system( ++ composite => $tmpfilename, ++ -gravity => $gravity_combo->get_active_text, ++ $filename => $tmpfilename2 ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow ++++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow +@@ -368,24 +368,22 @@ + $direction2 = "80x3-1-1"; + } + +- #quote filename +- my $qfilename = quotemeta $filename; +- +- #execute imagemagick command +- system( "convert" +- . " $qfilename" +- . " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction2 +- . " \\) +swap -background none -mosaic +repage" +- . " \\( +clone -background '" +- . sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ) +- . "' -shadow " +- . $direction1 +- . " \\) +swap -background none -mosaic +repage" +- . " $tmpfilename" ); ++ #execute imagemagick command ++ system( ++ convert => $filename, ++ -gravity => 'northwest', ++ -background => 'rgba(255,255,255,0)', ++ -splice => '10x10', ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction2, ++ qw/) +swap -background none -mosaic +repage/, ++ qw/( +clone/, ++ -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ), ++ -shadow => $direction1, ++ qw/) +swap -background none -mosaic +repage/, ++ $tmpfilename ++ ); + + } + +--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion ++++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion +@@ -386,24 +386,13 @@ + + my $color = $back_color->get_color; + +- #quote filename +- my $qfilename = quotemeta $filename; +- + #execute imagemagick command +- system( "convert" +- . " -virtual-pixel Background -background '" +- . sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ) +- . "' -distort Barrel '" +- . $c1_sbutton->get_value +- . " " +- . $c2_sbutton->get_value +- . " " +- . $c3_sbutton->get_value +- . " " +- . $c4_sbutton->get_value +- . "' $qfilename" +- . " $tmpfilename" ); +- ++ system ( ++ qw/convert -virtual-pixel Background/, ++ -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ), ++ -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value), ++ $filename, $tmpfilename ++ ); + } + + sub fct_update_gui { +--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm ++++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm +@@ -69,7 +69,13 @@ + $self->{_url} = "http://".$self->{_url}; + } + +- system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'"); ++ system( ++ 'gnome-web-photo', ++ '--timeout='.$self->{_timeout}, ++ '--mode=photo', ++ '--width='.$self->{_width}, ++ $self->{_url}, $self->{_dest_filename} ++ ); + + return TRUE; + } +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,8 +53,7 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- my @args = ("xdg-open", $link); +- system(@args); ++ system("xdg-open", $link); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), +@@ -67,8 +66,12 @@ + } + + sub xdg_open_mail { +- my ( $self, $dialog, $mail, $user_data ) = @_; +- system("xdg-email $mail $user_data"); ++ my ( $self, $dialog, $mail, @user_data ) = @_; ++ ++ my @cmd = 'xdg-email'; ++ push @cmd, $mail if $mail; ++ system(@cmd, @user_data); ++ + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"), +@@ -82,7 +85,7 @@ + + sub nautilus_sendto { + my ( $self, $user_data ) = @_; +- system("nautilus-sendto $user_data &"); ++ system('nautilus-sendto', $user_data); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"), +--- a/bin/shutter ++++ b/bin/shutter +@@ -6967,12 +6967,9 @@ + push( @files_to_email, $session_screens{$key}->{'uri'}->to_string ); + } + +- my $mail_string = undef; +- foreach my $email_filename (@files_to_email) { +- $mail_string .= "--attach '$email_filename' "; +- } ++ my @mail_args = map { ( '--attach' => $_ ) } @files_to_email; + +- $shf->xdg_open_mail( undef, undef, $mail_string ); ++ $shf->xdg_open_mail( undef, undef, @mail_args ); + + return TRUE; + } diff --git a/debian/patches/series b/debian/patches/series index 7a8d251..cc5108b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,3 @@ CVE-2015-0854.patch +CVE-2016-10081.patch +fix-perl-system-calls