Shell Command Injection with a picture

Bug #1506823 reported by Bernd Dietzel
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pitivi (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))

If you import an image and double click on it to see a preview ,
 any shell command in the picture name will be executet.

For example :
1) rename a picture to this name

$(xmessage hello world).png

2) import the picture

3) doubleclick on the picture entry in the media libary.

4) xmessage runs

So, please use subprocess, not os.system

screenshot attached

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: pitivi 0.94-4
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 12:16:05 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: pitivi
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Patch to fix the shell command injection
pitivi Version 0.94

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch for mainwindow.py , pitivi Version 0.94" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Daniel Holbach (dholbach) wrote :

Upstream almost went for the same solution: https://git.gnome.org/browse/pitivi/tree/pitivi/mainwindow.py

        if asset.is_image():
            subprocess.call(['xdg-open', str(path_from_uri(asset.get_id()))])

I'll go with that then.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pitivi - 0.94-4ubuntu1

---------------
pitivi (0.94-4ubuntu1) xenial; urgency=medium

  * d/patches/from_upstream_shell_command_injection.patch: apply upstream
    commit to fix possible shell command injection. Thanks Bernd Dietzel for
    bringing it up. (LP: #1506823)

 -- Daniel Holbach <email address hidden> Mon, 26 Oct 2015 09:52:09 +0100

Changed in pitivi (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.