← Back to team overview

desktop-packages team mailing list archive

[Bug 1495272] Re: Insecure use of os.system()


Fixed in 0.95-1.

** Information type changed from Private Security to Public Security

** Changed in: pitivi (Ubuntu)
       Status: Expired => Fix Released

** Changed in: pitivi (Ubuntu)
     Assignee: (unassigned) => Luke Faraone (lfaraone)

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pitivi in Ubuntu.

  Insecure use of os.system()

Status in pitivi package in Ubuntu:
  Fix Released
Status in pitivi source package in Precise:
Status in pitivi source package in Trusty:
Status in pitivi source package in Vivid:
Status in pitivi source package in Wily:

Bug description:
         Double-clicking a file in the user's media library with
         a specially-crafted path or filename allows for
         arbitrary code execution with the permissions of the
         user running Pitivi.

      1. Create a directory hierarchy like so: "images/$(xeyes)/"
      2. Place an image "hello.png" in "images/$(xeyes)/".
      2. Drag and drop "images" to the Pitivi media library.
      3. Double click the image "hello.png" in the media library

  The `xeyes` program (if installed on your system) should start.

  See pitivi/mainwindow.py:_mediaLibraryPlayCb().

  An exploit scenario would require an attacker to provide a
  specially-crafted directory hierarchy or file path. Since Pitivi does
  not expose the path to the user, and a workflow of consuming content
  created by others is common when working with media files, such a
  scenario occurring is not hard to imagine.

To manage notifications about this bug go to: