| Summary: | shutter new security issue CVE-2015-0854 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, pterjan, shlomif, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/658311/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | shutter-0.93-5.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-09-14 23:46:42 CEST
David Walser
2015-09-14 23:46:57 CEST
CC:
(none) =>
geiger.david68210, pterjan It seems that current shutter for mga5 is still broken: https://bugs.mageia.org/show_bug.cgi?id=14541 On mga5 with current shutter I get: $ shutter defined(@array) is deprecated at /usr/bin/shutter line 3727. (Maybe you should just omit the defined()?) defined(@array) is deprecated at /usr/bin/shutter line 3738. (Maybe you should just omit the defined()?) WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Cannot decode string with wide characters at /usr/lib/perl5/5.20.1/x86_64-linux-thread-multi/Encode.pm line 215, <DATA> line 19. ---------------------------------------------------- So I applied, locally and rebuild shutter, upstream patch to fix CVE and add another patch to fix 'defined(@array)' error and add missing recommends on perl-Image-ExifTool: https://launchpadlibrarian.net/217813576/CVE-2015-0854.patch http://svnweb.mageia.org/packages/cauldron/shutter/current/SOURCES/shutter-0.93-fix-defined-array.patch?view=markup&pathrev=854409 Now I get: $ shutter WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Global symbol "@args" requires explicit package name at /usr/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm line 56. Global symbol "@args" requires explicit package name at /usr/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm line 57. Compilation failed in require at /usr/bin/shutter line 148. -------------------------------------------------------- Seems that upstream patch broke more our shutter. Hi David and David! I've taken a look and fixed the problems in the patch (the definition of @args was missing a "my" declaration), and submitted a new Cauldron version and a new version in Mageia 5's core/updates_testing . See http://pkgsubmit.mageia.org/ . CC:
(none) =>
shlomif Thanks Shlomi! Advisory: ======================== Updated shutter package fixes security vulnerability: In the "Shutter" screenshot application, it was discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter (CVE-2015-0854). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0854 http://openwall.com/lists/oss-security/2015/09/13/2 ======================== Updated packages in core/updates_testing: ======================== shutter-0.93-4.1.mga5 from shutter-0.93-4.1.mga5.src.rpm Version:
Cauldron =>
5 In VirtualBox, M5, KDE, 32-bit Package(s) under test: shutter default install of shutter [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. install shutter from updates_testing [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.1.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. Test platform: Vbox 5.0.2 CC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit Package(s) under test: shutter default install of shutter [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. install shutter from updates_testing [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.1.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. Test platform: Vbox 5.0.2 Whiteboard:
MGA5-32-OK =>
MGA5-32-OK MGA5-64-OK This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
MGA5-32-OK MGA5-64-OK =>
advisory MGA5-32-OK MGA5-64-OK I'm not 100% agree to validate this update because of bug 14541 that is still not fixed for now. For me on a mga5_64 french system, shutter does not work/start as it should: ------------------------------------------ $ shutter WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Cannot decode string with wide characters at /usr/lib/perl5/5.20.1/x86_64-linux-thread-multi/Encode.pm line 215, <DATA> line 19. ------------------------------------------ If I want make shutter usable I must run shutter with 'LC_ALL=C' : ------------------------------------------ $ LC_ALL=C shutter WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! ------------------------------------------ Also shutter is misses a Recommends on perl-Image-ExifTool. What do you think Shlomi? Unvalidating for now. Keywords:
validated_update =>
(none) This is a security bug not a functional bug. That should be a separate issue. (In reply to claire robinson from comment #9) > What do you think Shlomi? Unvalidating for now. The problems reported by "David GEIGER" are unrelated to this security fix, and will hopefully be fixed at a later date. But we should ship this security update now instead of later. Rome was not built in a day. I agree, and bug 14541 seems to be a very long standing one, so there is no regression in this security update. Keywords:
(none) =>
validated_update So we can allow this to move on and leave 14541 as a separate issue? Indeed, that's why I readded the validated_update keyword. Yep, I thought Shlomi might be able to respond quickly to the query. Let's not hold this up though. (In reply to claire robinson from comment #15) > Yep, I thought Shlomi might be able to respond quickly to the query. He did in comment 11 :) I meant with a fix :P An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0380.html Status:
NEW =>
RESOLVED
David Walser
2015-09-24 18:58:00 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/658311/ |