From owner-svn-ports-all@freebsd.org Thu Sep 17 16:17:57 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 150169CE3E5; Thu, 17 Sep 2015 16:17:57 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 060111A14; Thu, 17 Sep 2015 16:17:57 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8HGHuZ5070897; Thu, 17 Sep 2015 16:17:56 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8HGHuNW070895; Thu, 17 Sep 2015 16:17:56 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201509171617.t8HGHuNW070895@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Thu, 17 Sep 2015 16:17:56 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r397124 - in head/deskutils/shutter: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2015 16:17:57 -0000 Author: feld Date: Thu Sep 17 16:17:55 2015 New Revision: 397124 URL: https://svnweb.freebsd.org/changeset/ports/397124 Log: Fix arbitrary code execution vulnerability MFH: 2015Q3 Security: CVE-2015-0854 Security: d45ad7ae-5d56-11e5-9ad8-14dae9d210b8 Added: head/deskutils/shutter/files/ head/deskutils/shutter/files/patch-CVE-2015-0854 (contents, props changed) Modified: head/deskutils/shutter/Makefile Modified: head/deskutils/shutter/Makefile ============================================================================== --- head/deskutils/shutter/Makefile Thu Sep 17 16:16:12 2015 (r397123) +++ head/deskutils/shutter/Makefile Thu Sep 17 16:17:55 2015 (r397124) @@ -3,7 +3,7 @@ PORTNAME= shutter PORTVERSION= 0.93.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= deskutils MASTER_SITES= http://shutter-project.org/wp-content/uploads/releases/tars/ Added: head/deskutils/shutter/files/patch-CVE-2015-0854 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/deskutils/shutter/files/patch-CVE-2015-0854 Thu Sep 17 16:17:55 2015 (r397124) @@ -0,0 +1,12 @@ +--- share/shutter/resources/modules/Shutter/App/HelperFunctions.pm.orig 2015-09-17 16:09:58 UTC ++++ share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,7 +53,8 @@ sub new { + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- system("xdg-open $link"); ++ @args = ("xdg-open", "$link"); ++ system(@args); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"),