File CVE-2016-10081.patch of Package shutter

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-10081.patch of Package shutter

Bug: https://bugs.launchpad.net/shutter/+bug/1652600
Bug-Debian: https://bugs.debian.org/849777
Forwarded: https://bugs.launchpad.net/shutter/+bug/1652600/comments/6
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Description: fix insecure use of perl exec()
 The patch attached uses the multi-argument invocation and also changes
 it in the code path for non-Perl plugins.
--- a/bin/shutter
+++ b/bin/shutter
@@ -7164,8 +7164,13 @@
             elsif ( $pid == 0 ) {
 
                 #see Bug #661424
-                my $qfilename = quotemeta $session_screens{$key}->{'long'};
-                exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
+                #my $qfilename = quotemeta $session_screens{$key}->{'long'};
+                exec( $^X, $plugin_value,
+                    $socket->get_id,
+                    $session_screens{$key}->{'long'},
+                    $session_screens{$key}->{'width'},
+                    $session_screens{$key}->{'height'},
+                    $session_screens{$key}->{'filetype'} );
             }
 
             $sdialog->show_all;
@@ -7198,11 +7203,15 @@
             my $plugin_process = Proc::Simple->new;
 
             #see Bug #661424
-            my $qfilename = quotemeta $session_screens{$key}->{'long'};
+            #my $qfilename = quotemeta $session_screens{$key}->{'long'};
 
             $plugin_process->start(
                 sub {
-                    system("'$plugin_value' $qfilename '$session_screens{$key}->{'width'}' '$session_screens{$key}->{'height'}' '$session_screens{$key}->{'filetype'}' ");
+                    system( $plugin_value,
+                        $session_screens{$key}->{'long'},
+                        $session_screens{$key}->{'width'},
+                        $session_screens{$key}->{'height'},
+                        $session_screens{$key}->{'filetype'} );
                     POSIX::_exit(0);
                 }
             );

Places

File CVE-2016-10081.patch of Package shutter

Places