FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

shutter -- arbitrary code execution

Affected packages
0.80 <= shutter < 0.93.1_2

Details

VuXML ID d45ad7ae-5d56-11e5-9ad8-14dae9d210b8
Discovery 2015-09-13
Entry 2015-09-17

Luke Farone reports:

In the "Shutter" screenshot application, I discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter.

References

CVE Name CVE-2015-0854
URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
URL http://seclists.org/oss-sec/2015/q3/541
URL https://bugs.launchpad.net/shutter/+bug/1495163