Insecure use of os.system()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pitivi (Ubuntu) |
Fix Released
|
Undecided
|
Luke Faraone | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Expired
|
Undecided
|
Unassigned | ||
Vivid |
Expired
|
Undecided
|
Unassigned | ||
Wily |
Expired
|
Undecided
|
Unassigned |
Bug Description
SYNOPSIS:
a specially-crafted path or filename allows for
arbitrary code execution with the permissions of the
user running Pitivi.
STEPS TO REPRODUCE:
1. Create a directory hierarchy like so: "images/$(xeyes)/"
2. Place an image "hello.png" in "images/$(xeyes)/".
2. Drag and drop "images" to the Pitivi media library.
3. Double click the image "hello.png" in the media library
The `xeyes` program (if installed on your system) should start.
See pitivi/
An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.
Debian has assigned a CVE; contacted GNOME Security Team.