Bug 21560 - shutter new security issue CVE-2016-10081
Summary: shutter new security issue CVE-2016-10081
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK advisory MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-18 14:07 CEST by David Walser
Modified: 2017-08-21 22:01 CEST (History)
5 users (show)

See Also:
Source RPM: shutter-0.93.1-6.mga6.src.rpm
CVE:
Status comment:


Attachments
shutter single window screenshot (43.77 KB, image/png)
2017-08-20 15:25 CEST, Len Lawrence
Details

Description David Walser 2017-08-18 14:07:32 CEST
openSUSE has issued an advisory today (August 18):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00081.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-18 14:07:38 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Nicolas Lécureuil 2017-08-18 17:59:30 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => mageia

Comment 1 Nicolas Lécureuil 2017-08-18 18:05:28 CEST
pushed in updates_testing
src.rpm:
        shutter-0.93.1-6.1.mga6
        shutter-0.93.1-1.2.mga5

Assignee: shlomif => qa-bugs

Comment 2 Shlomi Fish 2017-08-18 18:26:36 CEST
Nicolas: in Cauldron, you seem to have missed the patch from https://bugs.launchpad.net/shutter/+bug/1652600 - namely fix-perl-system-calls.patch .

CC: (none) => shlomif

Comment 3 David Walser 2017-08-18 20:49:55 CEST
Advisory:
========================

Updated shutter package fixes security vulnerability:

Remote attackers could trick users into assisting them in executing arbitrary
commands via a crafted image name that is mishandled during a "Run a plugin"
action (CVE-2016-10081).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10081
https://lists.opensuse.org/opensuse-updates/2017-08/msg00081.html
========================

Updated packages in core/updates_testing:
========================
shutter-0.93.1-1.2.mga5
shutter-0.93.1-6.1.mga6

from SRPMS:
shutter-0.93.1-1.2.mga5.src.rpm
shutter-0.93.1-6.1.mga6.src.rpm
Comment 4 Len Lawrence 2017-08-19 08:38:41 CEST
Working on this for mga6 x86_64.
shutter is a very feature-rich screenshot application so it will take a while to explore.  Starting with the man page examples.

Setting up a profile is to be recommended.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-08-20 12:55:35 CEST
The description at https://bugs.launchpad.net/shutter/+bug/1652600
gives a procedure for reproducing the exploit but I had difficulties with it.

<quote>
STEPS TO REPRODUCE:
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

   You should see firefox browser opened as separate process.
</quote>

That looks pretty straightforward but in fact it does not work because the shutter interface filters files by their extensions, making it is impossible to find the renamed file.  Earlier a screenshot of the terminal had been saved with this name: lcl@belexeuli:~-qa-shutter_001.png.  Renaming it to '$(firefox)' rendered it invisible in the open dialogue with all supported image formats enabled.  The choices are that or an individual extension like JPG or PNG.  There is no 'all files' option.
Comment 6 Len Lawrence 2017-08-20 15:23:51 CEST
Tested on mga6 - x86_64 - 3K monitor.

Used shutter to set up a user profile beforehand then installed the update.
Experimented with some of the options such as capturing the whole desktop, selecting a window and selecting an area of the screen.  Saved a screenshot to a different directory from the one defined in the profile and also saved a couple as one page PDFs.  All the images displayed correctly.

The package seems to be functioning as designed.  Attaching a screenshot of a single window.  The quality is indistinguishable from the original.
Comment 7 Len Lawrence 2017-08-20 15:25:43 CEST
Created attachment 9617 [details]
shutter single window screenshot
Len Lawrence 2017-08-20 15:26:01 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Lewis Smith 2017-08-20 21:07:09 CEST

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK advisory
CC: (none) => lewyssmith

Comment 8 Len Lawrence 2017-08-21 13:13:29 CEST
Tested this on x86_64 for mga5.
Installed shutter and set up preferred storage directory.
Upstaed the package and used some of the menu options to store screenshots of the whole desktop, individual windows and a selected rgion of the desktop.  Exported one of the screenshots to a PDF file and viewed it as a one-page document.

OK for 64-bits.
Len Lawrence 2017-08-21 13:15:16 CEST

Whiteboard: MGA5TOO MGA6-64-OK advisory => MGA5TOO MGA5-64-OK advisory MGA6-64-OK

Comment 9 Lewis Smith 2017-08-21 20:13:08 CEST
Validating: 1 good OK per M5/M6; once more super work Len.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-08-21 22:01:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.