desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #154233
[Bug 1495272] Re: Insecure use of os.system()
Fixed in 0.95-1.
** Information type changed from Private Security to Public Security
** Changed in: pitivi (Ubuntu)
Status: Expired => Fix Released
** Changed in: pitivi (Ubuntu)
Assignee: (unassigned) => Luke Faraone (lfaraone)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pitivi in Ubuntu.
https://bugs.launchpad.net/bugs/1495272
Title:
Insecure use of os.system()
Status in pitivi package in Ubuntu:
Fix Released
Status in pitivi source package in Precise:
Invalid
Status in pitivi source package in Trusty:
Expired
Status in pitivi source package in Vivid:
Expired
Status in pitivi source package in Wily:
Expired
Bug description:
SYNOPSIS:
Double-clicking a file in the user's media library with
a specially-crafted path or filename allows for
arbitrary code execution with the permissions of the
user running Pitivi.
STEPS TO REPRODUCE:
1. Create a directory hierarchy like so: "images/$(xeyes)/"
2. Place an image "hello.png" in "images/$(xeyes)/".
2. Drag and drop "images" to the Pitivi media library.
3. Double click the image "hello.png" in the media library
The `xeyes` program (if installed on your system) should start.
See pitivi/mainwindow.py:_mediaLibraryPlayCb().
An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1495272/+subscriptions