Ubuntu
pitivi package

Shell Command Injection with a picture

Bug #1506823 reported by Bernd Dietzel on 2015-10-16

12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pitivi (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))

If you import an image and double click on it to see a preview ,
any shell command in the picture name will be executet.

For example :
1) rename a picture to this name

$(xmessage hello world).png

2) import the picture

3) doubleclick on the picture entry in the media libary.

4) xmessage runs

So, please use subprocess, not os.system

screenshot attached

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: pitivi 0.94-4
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 12:16:05 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: pitivi
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-10-16:

#1

Screenshot.png Edit (269.5 KiB, image/png)

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-10-24:

#2

patch for mainwindow.py , pitivi Version 0.94 Edit (311 bytes, text/plain)

Patch to fix the shell command injection
pitivi Version 0.94

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-10-24:

#3

The attachment "patch for mainwindow.py , pitivi Version 0.94" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Daniel Holbach (dholbach) wrote on 2015-10-26:

#4

Upstream almost went for the same solution: https://git.gnome.org/browse/pitivi/tree/pitivi/mainwindow.py

if asset.is_image():
subprocess.call(['xdg-open', str(path_from_uri(asset.get_id()))])

I'll go with that then.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-10-27:

#5

This bug was fixed in the package pitivi - 0.94-4ubuntu1

---------------
pitivi (0.94-4ubuntu1) xenial; urgency=medium

  * d/patches/from_upstream_shell_command_injection.patch: apply upstream
    commit to fix possible shell command injection. Thanks Bernd Dietzel for
    bringing it up. (LP: #1506823)

-- Daniel Holbach <email address hidden> Mon, 26 Oct 2015 09:52:09 +0100

Changed in pitivi (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

patch for mainwindow.py , pitivi Version 0.94 Edit

Add patch

Bug attachments

Screenshot.png Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.