← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #143558

[Bug 1506823] [NEW] Shell Command Injection with a picture

  Thread PreviousDate PreviousThread Next 
Public bug reported:

mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))

If you import an image and double click on it to see a preview  , 
 any shell command in the picture name will be executet.

For example :
1) rename a picture to this name

$(xmessage hello world).png

2) import the picture

3) doubleclick on the picture entry  in the media libary.

4) xmessage runs

So, please use subprocess, not os.system

screenshot attached

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: pitivi 0.94-4
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 12:16:05 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: pitivi
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: pitivi (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug wily

** Attachment added: "Screenshot.png"
   https://bugs.launchpad.net/bugs/1506823/+attachment/4496768/+files/Screenshot.png

** Attachment removed: "JournalErrors.txt"
   https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496770/+files/JournalErrors.txt

** Attachment removed: "Dependencies.txt"
   https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496769/+files/Dependencies.txt

** Attachment removed: "ProcEnviron.txt"
   https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496771/+files/ProcEnviron.txt

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pitivi in Ubuntu.
https://bugs.launchpad.net/bugs/1506823

Title:
  Shell Command Injection with a picture

Status in pitivi package in Ubuntu:
  New

Bug description:
  mainwindow.py , Line 486
  os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))

  If you import an image and double click on it to see a preview  , 
   any shell command in the picture name will be executet.

  For example :
  1) rename a picture to this name

  $(xmessage hello world).png

  2) import the picture

  3) doubleclick on the picture entry  in the media libary.

  4) xmessage runs

  So, please use subprocess, not os.system

  screenshot attached

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: pitivi 0.94-4
  ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
  Uname: Linux 4.2.0-15-generic x86_64
  ApportVersion: 2.19.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Oct 16 12:16:05 2015
  InstallationDate: Installed on 2015-10-09 (6 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
  SourcePackage: pitivi
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next