Insecure use of os.system()

Bug #1495272 reported by Luke Faraone on 2015-09-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pitivi (Ubuntu)
Undecided
Luke Faraone
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned

Bug Description

SYNOPSIS:
       Double-clicking a file in the user's media library with
       a specially-crafted path or filename allows for
       arbitrary code execution with the permissions of the
       user running Pitivi.

STEPS TO REPRODUCE:
    1. Create a directory hierarchy like so: "images/$(xeyes)/"
    2. Place an image "hello.png" in "images/$(xeyes)/".
    2. Drag and drop "images" to the Pitivi media library.
    3. Double click the image "hello.png" in the media library

The `xeyes` program (if installed on your system) should start.

See pitivi/mainwindow.py:_mediaLibraryPlayCb().

An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.

CVE References

Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) wrote :

Debian has assigned a CVE; contacted GNOME Security Team.

description: updated
Tyler Hicks (tyhicks) wrote :

Hi Luke - Thanks for reporting this issue. Is there a patch and/or coordinated release date for this issue?

Tyler Hicks (tyhicks) wrote :

My apologies. I now see the attached patch.

Tyler Hicks (tyhicks) wrote :

Precise is not affected, which is the only current Ubuntu release which has pitivi in main. Pitivi is community supported in all affected Ubuntu releases.

Changed in pitivi (Ubuntu Precise):
status: New → Invalid
Changed in pitivi (Ubuntu Trusty):
status: New → Confirmed
Changed in pitivi (Ubuntu Vivid):
status: New → Confirmed
Changed in pitivi (Ubuntu Wily):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

_playRenderedFileButtonClickedCb() in render.py is also likely affected in Vivid and Trusty.

Changed in pitivi (Ubuntu):
status: Confirmed → Incomplete
Changed in pitivi (Ubuntu Precise):
status: Invalid → Incomplete
Changed in pitivi (Ubuntu Trusty):
status: Confirmed → Incomplete
Changed in pitivi (Ubuntu Vivid):
status: Confirmed → Incomplete
Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in pitivi (Ubuntu Precise):
status: Incomplete → Invalid
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Vivid) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Vivid):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Trusty) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Trusty):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Wily) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Wily):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu):
status: Incomplete → Expired
Luke Faraone (lfaraone) wrote :

Fixed in 0.95-1.

information type: Private Security → Public Security
Changed in pitivi (Ubuntu):
status: Expired → Fix Released
assignee: nobody → Luke Faraone (lfaraone)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers