/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a Run a plugin action.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shutter | Shutter-project | * | 0.93.1 (including) |
| Shutter | Ubuntu | artful | * |
| Shutter | Ubuntu | bionic | * |
| Shutter | Ubuntu | esm-apps/bionic | * |
| Shutter | Ubuntu | esm-apps/xenial | * |
| Shutter | Ubuntu | precise | * |
| Shutter | Ubuntu | trusty | * |
| Shutter | Ubuntu | xenial | * |
| Shutter | Ubuntu | yakkety | * |
| Shutter | Ubuntu | zesty | * |
References
- http://www.securityfocus.com/bid/95351
- https://bugs.launchpad.net/shutter/+bug/1652600
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QG54GTU45KBIQJLU4WREG4G4JJEUTEJ/
- https://www.exploit-db.com/exploits/41435/
- http://www.securityfocus.com/bid/95351
- https://bugs.launchpad.net/shutter/+bug/1652600
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QG54GTU45KBIQJLU4WREG4G4JJEUTEJ/
- https://www.exploit-db.com/exploits/41435/