Insecure use of os.system()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| pitivi (Ubuntu) |
Undecided
|
Luke Faraone | ||
| Precise |
Undecided
|
Unassigned | ||
| Trusty |
Undecided
|
Unassigned | ||
| Vivid |
Undecided
|
Unassigned | ||
| Wily |
Undecided
|
Unassigned |
Bug Description
SYNOPSIS:
a specially-crafted path or filename allows for
arbitrary code execution with the permissions of the
user running Pitivi.
STEPS TO REPRODUCE:
1. Create a directory hierarchy like so: "images/$(xeyes)/"
2. Place an image "hello.png" in "images/$(xeyes)/".
2. Drag and drop "images" to the Pitivi media library.
3. Double click the image "hello.png" in the media library
The `xeyes` program (if installed on your system) should start.
See pitivi/
An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.
CVE References
Luke Faraone (lfaraone) wrote : | #1 |
Tyler Hicks (tyhicks) wrote : | #3 |
Hi Luke - Thanks for reporting this issue. Is there a patch and/or coordinated release date for this issue?
Tyler Hicks (tyhicks) wrote : | #4 |
My apologies. I now see the attached patch.
Tyler Hicks (tyhicks) wrote : | #5 |
Precise is not affected, which is the only current Ubuntu release which has pitivi in main. Pitivi is community supported in all affected Ubuntu releases.
Changed in pitivi (Ubuntu Precise): | |
status: | New → Invalid |
Changed in pitivi (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in pitivi (Ubuntu Vivid): | |
status: | New → Confirmed |
Changed in pitivi (Ubuntu Wily): | |
status: | New → Confirmed |
Tyler Hicks (tyhicks) wrote : | #6 |
_playRenderedFi
Changed in pitivi (Ubuntu): | |
status: | Confirmed → Incomplete |
Changed in pitivi (Ubuntu Precise): | |
status: | Invalid → Incomplete |
Changed in pitivi (Ubuntu Trusty): | |
status: | Confirmed → Incomplete |
Changed in pitivi (Ubuntu Vivid): | |
status: | Confirmed → Incomplete |
Tyler Hicks (tyhicks) wrote : | #7 |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
Changed in pitivi (Ubuntu Precise): | |
status: | Incomplete → Invalid |
Launchpad Janitor (janitor) wrote : | #8 |
[Expired for pitivi (Ubuntu Vivid) because there has been no activity for 60 days.]
Changed in pitivi (Ubuntu Vivid): | |
status: | Incomplete → Expired |
Launchpad Janitor (janitor) wrote : | #9 |
[Expired for pitivi (Ubuntu Trusty) because there has been no activity for 60 days.]
Changed in pitivi (Ubuntu Trusty): | |
status: | Incomplete → Expired |
Launchpad Janitor (janitor) wrote : | #10 |
[Expired for pitivi (Ubuntu Wily) because there has been no activity for 60 days.]
Changed in pitivi (Ubuntu Wily): | |
status: | Incomplete → Expired |
Launchpad Janitor (janitor) wrote : | #11 |
[Expired for pitivi (Ubuntu) because there has been no activity for 60 days.]
Changed in pitivi (Ubuntu): | |
status: | Incomplete → Expired |
Luke Faraone (lfaraone) wrote : | #12 |
Fixed in 0.95-1.
information type: | Private Security → Public Security |
Changed in pitivi (Ubuntu): | |
status: | Expired → Fix Released |
assignee: | nobody → Luke Faraone (lfaraone) |
Debian has assigned a CVE; contacted GNOME Security Team.