Ubuntu
pitivi package

Insecure use of os.system()

Bug #1495272 reported by Luke Faraone
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pitivi (Ubuntu)
Fix Released
Undecided
Luke Faraone
Precise
Invalid
Undecided
Unassigned
Trusty
Expired
Undecided
Unassigned
Vivid
Expired
Undecided
Unassigned
Wily
Expired
Undecided
Unassigned

Bug Description

SYNOPSIS:
       Double-clicking a file in the user's media library with
       a specially-crafted path or filename allows for
       arbitrary code execution with the permissions of the
       user running Pitivi.

STEPS TO REPRODUCE:
    1. Create a directory hierarchy like so: "images/$(xeyes)/"
    2. Place an image "hello.png" in "images/$(xeyes)/".
    2. Drag and drop "images" to the Pitivi media library.
    3. Double click the image "hello.png" in the media library

The `xeyes` program (if installed on your system) should start.

See pitivi/mainwindow.py:_mediaLibraryPlayCb().

An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.

See original description

CVE References

Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Luke Faraone (lfaraone) wrote :

Debian has assigned a CVE; contacted GNOME Security Team.

description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Luke - Thanks for reporting this issue. Is there a patch and/or coordinated release date for this issue?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

My apologies. I now see the attached patch.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Precise is not affected, which is the only current Ubuntu release which has pitivi in main. Pitivi is community supported in all affected Ubuntu releases.

Changed in pitivi (Ubuntu Precise):
status: New → Invalid
Changed in pitivi (Ubuntu Trusty):
status: New → Confirmed
Changed in pitivi (Ubuntu Vivid):
status: New → Confirmed
Changed in pitivi (Ubuntu Wily):
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

_playRenderedFileButtonClickedCb() in render.py is also likely affected in Vivid and Trusty.

Changed in pitivi (Ubuntu):
status: Confirmed → Incomplete
Changed in pitivi (Ubuntu Precise):
status: Invalid → Incomplete
Changed in pitivi (Ubuntu Trusty):
status: Confirmed → Incomplete
Changed in pitivi (Ubuntu Vivid):
status: Confirmed → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in pitivi (Ubuntu Precise):
status: Incomplete → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Vivid) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Vivid):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Trusty) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Trusty):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu Wily) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu Wily):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pitivi (Ubuntu) because there has been no activity for 60 days.]

Changed in pitivi (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Luke Faraone (lfaraone) wrote :

Fixed in 0.95-1.

information type: Private Security → Public Security
Changed in pitivi (Ubuntu):
status: Expired → Fix Released
assignee: nobody → Luke Faraone (lfaraone)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.