[for new users] All security related issue to be aware currently

[AkechiShiro]

Describe the bug
No clear announcement of security fixes for

• CVE-2023-34634
• https://greenshot.atlassian.net/browse/SUPPORT-407 (No CVE ID)

To Reproduce
Example steps to reproduce the behavior (few scripts for scripts kiddies available) :

• https://www.exploit-db.com/exploits/51633
• Add CVE-2023-34634, Greenshot Fileformat exploit rapid7/metasploit-framework#18253
• http://packetstormsecurity.com/files/174222/Greenshot-1.3.274-Deserialization-Command-Execution.html
• Grep security in latest unstable release changelog, sadly nothing will be found.
• Unless you read the code of the latest unstable release, you don't know if CVE-2023-34634 is fixed or not, it's pretty unclear since no one answers on security issue opened on this repo (see additional context)
• It should be fixed by this : a152e28#diff-bc9ca9a581e30ebf7dac3a58bbdaa8e76b9eaa821f7f618d50ce21e1b8465015R107-R109
• But I didn't confirm as I'm not using this software.

Expected behavior
Vulnerabilities shouldn't left unanswered and silently fixed in releases, this sets up a very bad example of how to actually handle security issues, fixing them "silently" doesn't help at all.
Also I strongly suggest a security policy be added here to clearly indicate to whom/how and where security issues should be reported.

If that's too much to ask, then update this FAQ : https://getgreenshot.org/faq/is-greenshot-clean/ and add that CVE/Security issues are not a priority for Greenshot, be transparent at least, that would be hugely helpful.

This software is probably the best for screenshots, sadly the handling of security vulnerabilities isn't great.

Versions (please complete the following information):

• Greenshot version 1.2.10 -> 1.3.277
• Windows version (not sure if all are affected)

Additional context

• Security concern #504
• Vulnerability CVE-2023-34634 #505
• Greenshot Arbitrary Code Execution Vulnerability #474

EDIT (Add Workaround Software recommended)

Workaround software recommended :

• Flameshot (open source, cross-platform, maintained, has almost all features of Greenshot)
• ShareX (open source, Windows, maintained, have heard good things about it)
• LightShot (has privacy concerns)
• SnagIt

[AkechiShiro]

@jklingen Could you please pin this issue on the repo, I believe it is of utter importance that new users are aware of the state of this project.

[jklingen]

@AkechiShiro Thanks for the summary.

Just a short notice for now: I agree that our communication on these things could be better, we'll work on this.
The project currently suffers from lack of spare time, which of course also affects our communication. We need to catch up, step by step.

Please understand that we're still doing all of this in our little spare time, so often things take longer than we'd like.

btw: AFAIK both issues you mentioned are fixed in the latest 1.3 (unstable) release.

[AkechiShiro]

Thanks for admitting this failure, I can totally understand, good luck, maintaining open source software is the one of the hard and difficult when done during spare time, everyone use it to run the world but sometimes there are too few contributors
@jklingen

[aeheck]

My company just disallowed the use of Greenshot and I am devestated. I have used this software for 10 years now and I don't want to learn other tools. This is a direct result of the security vulnerabilities that haven't been solved for. I asked some colleagues at my former place of work (10k employees) and they had done the same. Sad day.

[AkechiShiro]

@aeheck some security issues were fixed in the latest unstable release according to @jklingen, they might have been rolled out to a stable release not sure tho, because I don't use Greenshot

If the fixes were released, then I can close this issue.