diff options
| author | Photon89 | 2016-09-11 09:59:53 +0200 |
|---|---|---|
| committer | Photon89 | 2016-09-11 09:59:53 +0200 |
| commit | dec4001ae64c6d06541f21d8b2108687bdbf9ed4 (patch) | |
| tree | 166276124177f0a79b78545b29ad79a1eba2afc5 | |
| parent | fded52eb7bf066f843739bed4edbda437ab1a5f3 (diff) | |
| download | aur-dec4001ae64c6d06541f21d8b2108687bdbf9ed4.tar.gz | |
Added patch which is fixing lp bug #1495163 (insecure use of system() allows arbitrary code execution via 'Show in Folder')
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | CVE-2015-0854.patch | 41 | ||||
| -rw-r--r-- | PKGBUILD | 9 |
3 files changed, 50 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = shutter-bzr pkgdesc = A featureful screenshot tool (formerly gscrot) - Mario Kemper's Experimental branch pkgver = 1278 - pkgrel = 5 + pkgrel = 6 url = http://shutter-project.org/ arch = i686 arch = x86_64 @@ -42,8 +42,10 @@ pkgbase = shutter-bzr replaces = gscrot source = bug_1396368.patch source = bug_1618310.patch + source = CVE-2015-0854.patch md5sums = 0d35f8b2439cb5634fe75d3210d6c3e9 md5sums = 7ee557dbbc0d12f7a1dfdb29b062783c + md5sums = 49abe60d2560ab40fffa2c3cdaf1e947 pkgname = shutter-bzr diff --git a/CVE-2015-0854.patch b/CVE-2015-0854.patch new file mode 100644 index 000000000000..f21f4fe0c63e --- /dev/null +++ b/CVE-2015-0854.patch @@ -0,0 +1,41 @@ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: lfaraone@debian.org-20150913015632-omhhhksdbz1j2jno +# target_branch: bzr+ssh://bazaar.launchpad.net/+branch/shutter/ +# testament_sha1: 657f895d801b5ee567032599e2f961f4537a25db +# timestamp: 2015-09-13 01:59:36 +0000 +# base_revision_id: mario.kemper@googlemail.com-20141223230202-\ +# b58zlfo5qb5e2cxt +# +# Begin patch +=== modified file 'share/shutter/resources/modules/Shutter/App/HelperFunctions.pm' +--- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2013-08-25 18:40:51 +0000 ++++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm 2015-09-13 01:56:32 +0000 +@@ -53,7 +53,8 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- system("xdg-open $link"); ++ @args = ("xdg-open", "$link"); ++ system(@args); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), + +# Begin bundle +IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZZuoZoAAW9fgAAwVGf//1tE +AwC///9wUAN1zXYu9esG49hKKaaU/Qyp+inpPSPSNGnk0htRkGTQBkiZNTyNDERMIAaDTQ0GgBJI +CIyamntFNpANAAAA0BtSmCk8psmU9NGo0Mag0BoB6g0Ekk0hPUzRtU09PVPaQ1DT1MmQNDQBBblC +nItOGKCVEFKr4EB+TV5NqXlTTXPaxEQcN441NfLGUe1jMvoUPf93Zo8lTOpwrtjxqi6rujPaNUTV +CagXS99rU4yR4fKPswKdWLkQ5VnuJbY6NKVyUAsM7nT6pQRQzXzlE23uIdEQUEMMZJKbdB5pRKIy +WL1scnBLBNC4at+6OQjGy1T/mLa0YWkVTkCusoYWDle1hRXrGz2YOUzUVdaddmut7OCLS7MSRXeg +caOMglpIqkaoqSvYLzbAsT+V20WStwoXb7rBRTYj4ycKqQLBHRkHWCVzJ0ibdSjXciltChrcqiQF +YgsAZ7MNOYQGgVgpP8OwBDLnM61xWspggxkwGN1KjeLWHDOYBhoHuD7V0EzQRjE9+BzPN6pDFd4W +5mbO1dxUQMJZ1WQhVIGoXzjJtObPAzQaMYhdAk5NBoj5hObdpkZjteVvW9dHtjvycid4PkVRV2w+ +2SStovOFXNFQht4TkHBfKUS0mWA3bXY7THAPIN9FWaZKdBn2cr0qUcSkLlR3l5pvSyxEs7LxNIXS +mvErI+rurPau4IOalJSpU81T54yIjOIoquDxU/BXqXpxb5/M6chvLB2a+xbMBmGrnRJp51kfOGzQ +ia23MH3Yy0rg15C2iZbPmQ5RKSoIhYUn8mUK8M6GYsayXUYgwJ0sqga7syWoa3c+w4lJ9679VCcY +iAGhmyI1BsB5lIhh41Vi0gp8qriUeKTQ3/yaeBAIqYzlwY6+Mel9IVBzLrDP5vovFKZXClW3DgEQ +kKjWFoUBM4OT1vC4uG0Ru71+XFsMip2uGNAODnDSsTsxOKTPeYAnGezwmNc05BJ4k2DYocSE5hjD +UtjJyTOMs0Ur+cMwmmFgFHLIK5cDrA4UrVR6tdSSvozJ5EYME6tTuwnxJy71DECoNbwLYORVloIE +0ojtLgetx9uCjjOYYObUq9UOcX9cZNobWDtirXS1ZsJhU0+MrslK3DBAEEBWNjaOeMS1wDwGIbJa +ma5f3PtQMadvqUGhLdV0lL1WmatWtdlWxD5LyMmc/xdyRThQkJZuoZo= @@ -4,7 +4,7 @@ pkgname=shutter-bzr _realname=shutter pkgver=1278 -pkgrel=5 +pkgrel=6 pkgdesc="A featureful screenshot tool (formerly gscrot) - Mario Kemper's Experimental branch" arch=('i686' 'x86_64') url="http://shutter-project.org/" @@ -30,9 +30,11 @@ provides=('gscrot' 'shutter') conflicts=('shutter') replaces=('gscrot') source=('bug_1396368.patch' - 'bug_1618310.patch') + 'bug_1618310.patch' + 'CVE-2015-0854.patch') md5sums=('0d35f8b2439cb5634fe75d3210d6c3e9' - '7ee557dbbc0d12f7a1dfdb29b062783c') + '7ee557dbbc0d12f7a1dfdb29b062783c' + '49abe60d2560ab40fffa2c3cdaf1e947') _bzrtrunk=lp:shutter _bzrmod=trunk @@ -55,6 +57,7 @@ build() { cp -r ./${_bzrmod}/* ./${_bzrmod}-build patch ${srcdir}/${_bzrmod}-build/share/shutter/resources/system/upload_plugins/upload/Dropbox.pm < bug_1396368.patch patch ${srcdir}/${_bzrmod}-build/bin/shutter < bug_1618310.patch + patch ${srcdir}/${_bzrmod}-build/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm < CVE-2015-0854.patch } package() { cd ${srcdir}/${_bzrmod}-build |