openSUSE has issued an advisory today (August 18): https://lists.opensuse.org/opensuse-updates/2017-08/msg00081.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => mageia
pushed in updates_testing src.rpm: shutter-0.93.1-6.1.mga6 shutter-0.93.1-1.2.mga5
Assignee: shlomif => qa-bugs
Nicolas: in Cauldron, you seem to have missed the patch from https://bugs.launchpad.net/shutter/+bug/1652600 - namely fix-perl-system-calls.patch .
CC: (none) => shlomif
Advisory: ======================== Updated shutter package fixes security vulnerability: Remote attackers could trick users into assisting them in executing arbitrary commands via a crafted image name that is mishandled during a "Run a plugin" action (CVE-2016-10081). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10081 https://lists.opensuse.org/opensuse-updates/2017-08/msg00081.html ======================== Updated packages in core/updates_testing: ======================== shutter-0.93.1-1.2.mga5 shutter-0.93.1-6.1.mga6 from SRPMS: shutter-0.93.1-1.2.mga5.src.rpm shutter-0.93.1-6.1.mga6.src.rpm
Working on this for mga6 x86_64. shutter is a very feature-rich screenshot application so it will take a while to explore. Starting with the man page examples. Setting up a profile is to be recommended.
CC: (none) => tarazed25
The description at https://bugs.launchpad.net/shutter/+bug/1652600 gives a procedure for reproducing the exploit but I had difficulties with it. <quote> STEPS TO REPRODUCE: 1) Rename an image to something like "$(firefox)" 2) Open the renamed file in shutter 3) Click the "Run a plugin" option and select any plugin from the list and click "Run" You should see firefox browser opened as separate process. </quote> That looks pretty straightforward but in fact it does not work because the shutter interface filters files by their extensions, making it is impossible to find the renamed file. Earlier a screenshot of the terminal had been saved with this name: lcl@belexeuli:~-qa-shutter_001.png. Renaming it to '$(firefox)' rendered it invisible in the open dialogue with all supported image formats enabled. The choices are that or an individual extension like JPG or PNG. There is no 'all files' option.
Tested on mga6 - x86_64 - 3K monitor. Used shutter to set up a user profile beforehand then installed the update. Experimented with some of the options such as capturing the whole desktop, selecting a window and selecting an area of the screen. Saved a screenshot to a different directory from the one defined in the profile and also saved a couple as one page PDFs. All the images displayed correctly. The package seems to be functioning as designed. Attaching a screenshot of a single window. The quality is indistinguishable from the original.
Created attachment 9617 [details] shutter single window screenshot
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK advisoryCC: (none) => lewyssmith
Tested this on x86_64 for mga5. Installed shutter and set up preferred storage directory. Upstaed the package and used some of the menu options to store screenshots of the whole desktop, individual windows and a selected rgion of the desktop. Exported one of the screenshots to a PDF file and viewed it as a one-page document. OK for 64-bits.
Whiteboard: MGA5TOO MGA6-64-OK advisory => MGA5TOO MGA5-64-OK advisory MGA6-64-OK
Validating: 1 good OK per M5/M6; once more super work Len.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0292.html
Status: NEW => RESOLVEDResolution: (none) => FIXED