A security issue in shutter has been announced on September 13: http://openwall.com/lists/oss-security/2015/09/13/2 There is apparently a patch available. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210, pterjanWhiteboard: (none) => MGA5TOO
It seems that current shutter for mga5 is still broken: https://bugs.mageia.org/show_bug.cgi?id=14541 On mga5 with current shutter I get: $ shutter defined(@array) is deprecated at /usr/bin/shutter line 3727. (Maybe you should just omit the defined()?) defined(@array) is deprecated at /usr/bin/shutter line 3738. (Maybe you should just omit the defined()?) WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Cannot decode string with wide characters at /usr/lib/perl5/5.20.1/x86_64-linux-thread-multi/Encode.pm line 215, <DATA> line 19. ---------------------------------------------------- So I applied, locally and rebuild shutter, upstream patch to fix CVE and add another patch to fix 'defined(@array)' error and add missing recommends on perl-Image-ExifTool: https://launchpadlibrarian.net/217813576/CVE-2015-0854.patch http://svnweb.mageia.org/packages/cauldron/shutter/current/SOURCES/shutter-0.93-fix-defined-array.patch?view=markup&pathrev=854409 Now I get: $ shutter WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Global symbol "@args" requires explicit package name at /usr/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm line 56. Global symbol "@args" requires explicit package name at /usr/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm line 57. Compilation failed in require at /usr/bin/shutter line 148. -------------------------------------------------------- Seems that upstream patch broke more our shutter.
Hi David and David! I've taken a look and fixed the problems in the patch (the definition of @args was missing a "my" declaration), and submitted a new Cauldron version and a new version in Mageia 5's core/updates_testing . See http://pkgsubmit.mageia.org/ .
CC: (none) => shlomif
Thanks Shlomi! Advisory: ======================== Updated shutter package fixes security vulnerability: In the "Shutter" screenshot application, it was discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter (CVE-2015-0854). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0854 http://openwall.com/lists/oss-security/2015/09/13/2 ======================== Updated packages in core/updates_testing: ======================== shutter-0.93-4.1.mga5 from shutter-0.93-4.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => (none)
In VirtualBox, M5, KDE, 32-bit Package(s) under test: shutter default install of shutter [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. install shutter from updates_testing [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.1.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. Test platform: Vbox 5.0.2
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: shutter default install of shutter [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. install shutter from updates_testing [root@localhost wilcal]# urpmi shutter Package shutter-0.93-4.1.mga5.noarch is already installed Using shutter I can capture a part of the Firefox browser to a png file. I can then edit that captured image with Gimp. Test platform: Vbox 5.0.2
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK
I'm not 100% agree to validate this update because of bug 14541 that is still not fixed for now. For me on a mga5_64 french system, shutter does not work/start as it should: ------------------------------------------ $ shutter WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! Cannot decode string with wide characters at /usr/lib/perl5/5.20.1/x86_64-linux-thread-multi/Encode.pm line 215, <DATA> line 19. ------------------------------------------ If I want make shutter usable I must run shutter with 'LC_ALL=C' : ------------------------------------------ $ LC_ALL=C shutter WARNING: Image::ExifTool is missing --> writing Exif information will be disabled! WARNING: Gtk2::AppIndicator is missing --> there will be no icon showing up in the status bar when running Unity! ------------------------------------------ Also shutter is misses a Recommends on perl-Image-ExifTool.
What do you think Shlomi? Unvalidating for now.
Keywords: validated_update => (none)
This is a security bug not a functional bug. That should be a separate issue.
(In reply to claire robinson from comment #9) > What do you think Shlomi? Unvalidating for now. The problems reported by "David GEIGER" are unrelated to this security fix, and will hopefully be fixed at a later date. But we should ship this security update now instead of later. Rome was not built in a day.
I agree, and bug 14541 seems to be a very long standing one, so there is no regression in this security update.
Keywords: (none) => validated_update
So we can allow this to move on and leave 14541 as a separate issue?
Indeed, that's why I readded the validated_update keyword.
Yep, I thought Shlomi might be able to respond quickly to the query. Let's not hold this up though.
(In reply to claire robinson from comment #15) > Yep, I thought Shlomi might be able to respond quickly to the query. He did in comment 11 :)
I meant with a fix :P
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0380.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/658311/