Bug 21560

pushed in updates_testing
src.rpm:
        shutter-0.93.1-6.1.mga6
        shutter-0.93.1-1.2.mga5

Assignee: shlomif => qa-bugs

Nicolas: in Cauldron, you seem to have missed the patch from https://bugs.launchpad.net/shutter/+bug/1652600 - namely fix-perl-system-calls.patch .

CC: (none) => shlomif

Advisory:
========================

Updated shutter package fixes security vulnerability:

Remote attackers could trick users into assisting them in executing arbitrary
commands via a crafted image name that is mishandled during a "Run a plugin"
action (CVE-2016-10081).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10081
https://lists.opensuse.org/opensuse-updates/2017-08/msg00081.html
========================

Updated packages in core/updates_testing:
========================
shutter-0.93.1-1.2.mga5
shutter-0.93.1-6.1.mga6

from SRPMS:
shutter-0.93.1-1.2.mga5.src.rpm
shutter-0.93.1-6.1.mga6.src.rpm

Working on this for mga6 x86_64.
shutter is a very feature-rich screenshot application so it will take a while to explore.  Starting with the man page examples.

Setting up a profile is to be recommended.

CC: (none) => tarazed25

The description at https://bugs.launchpad.net/shutter/+bug/1652600
gives a procedure for reproducing the exploit but I had difficulties with it.

<quote>
STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.
</quote>

That looks pretty straightforward but in fact it does not work because the shutter interface filters files by their extensions, making it is impossible to find the renamed file.  Earlier a screenshot of the terminal had been saved with this name: lcl@belexeuli:~-qa-shutter_001.png.  Renaming it to '$(firefox)' rendered it invisible in the open dialogue with all supported image formats enabled.  The choices are that or an individual extension like JPG or PNG.  There is no 'all files' option.

Tested on mga6 - x86_64 - 3K monitor.

Used shutter to set up a user profile beforehand then installed the update.
Experimented with some of the options such as capturing the whole desktop, selecting a window and selecting an area of the screen.  Saved a screenshot to a different directory from the one defined in the profile and also saved a couple as one page PDFs.  All the images displayed correctly.

The package seems to be functioning as designed.  Attaching a screenshot of a single window.  The quality is indistinguishable from the original.

Created attachment 9617 [details]
shutter single window screenshot

Tested this on x86_64 for mga5.
Installed shutter and set up preferred storage directory.
Upstaed the package and used some of the menu options to store screenshots of the whole desktop, individual windows and a selected rgion of the desktop.  Exported one of the screenshots to a PDF file and viewed it as a one-page document.

OK for 64-bits.

Validating: 1 good OK per M5/M6; once more super work Len.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED