desktop-packages team mailing list archive

[Luke Faraone <luke@xxxxxxxxxx>]

Fixed in 0.95-1.

** Information type changed from Private Security to Public Security

** Changed in: pitivi (Ubuntu)
       Status: Expired => Fix Released

** Changed in: pitivi (Ubuntu)
     Assignee: (unassigned) => Luke Faraone (lfaraone)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pitivi in Ubuntu.
https://bugs.launchpad.net/bugs/1495272

Title:
  Insecure use of os.system()

Status in pitivi package in Ubuntu:
  Fix Released
Status in pitivi source package in Precise:
  Invalid
Status in pitivi source package in Trusty:
  Expired
Status in pitivi source package in Vivid:
  Expired
Status in pitivi source package in Wily:
  Expired

Bug description:
  SYNOPSIS:
         Double-clicking a file in the user's media library with
         a specially-crafted path or filename allows for
         arbitrary code execution with the permissions of the
         user running Pitivi.

  STEPS TO REPRODUCE:
      1. Create a directory hierarchy like so: "images/$(xeyes)/"
      2. Place an image "hello.png" in "images/$(xeyes)/".
      2. Drag and drop "images" to the Pitivi media library.
      3. Double click the image "hello.png" in the media library

  The `xeyes` program (if installed on your system) should start.

  See pitivi/mainwindow.py:_mediaLibraryPlayCb().

  An exploit scenario would require an attacker to provide a
  specially-crafted directory hierarchy or file path. Since Pitivi does
  not expose the path to the user, and a workflow of consuming content
  created by others is common when working with media files, such a
  scenario occurring is not hard to imagine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1495272/+subscriptions